What’s New in Wireless – August 2025
The wireless industry has revolutionized the way we connect, from facilitating teleworking, distance learning, and telemedicine to allowing the American public to interact virtually in almost all other aspects of their daily lives. Leading policymakers – federal regulators and legislators – are making it a top priority to ensure that the wireless industry has the tools and resources it needs to keep pace with this evolving landscape. This blog provides monthly updates on actions by federal regulatory bodies responsible for communications policy and Congressional efforts to support wireless connectivity. And this month we highlight the FCC’s proposals to streamline and accelerate wireless infrastructure deployments as part of its “Build America” agenda.
Regulatory Actions and Initiatives
Wireless Networks, Equipment, and Infrastructure
The FCC Takes Steps to Accelerate Infrastructure Deployment. As part of its “Build America” agenda, the FCC adopted a Notice of Proposed Rulemaking that re-examines the agency’s environmental rules to ensure that they comport with the National Environmental Policy Act (“NEPA”), as amended, and promotes greater and faster infrastructure deployment. The Notice also takes a fresh look at the Commission’s National Historic Preservation Act (“NHPA”) requirements. According to the News Release issued about the Notice, the FCC’s Build America agenda “aims to unleash new infrastructure projects in communities all across the country.”
The FCC Initiates a Re-examination of its Emergency Alert System. In addition to reviewing its NEPA and NHPA requirements, the FCC adopted a Notice of Proposed Rulemaking that initiates a review of the FCC’s Emergency Alert System and Wireless Emergency Alerts. The Notice, in particular, evaluates the goals of the systems, whether the systems are achieving those goals, and the steps the Commission should take to modernize the systems.
The FCC Seeks to Update its Disaster Information Reporting System (“DIRS”). The FCC adopted a Third Further Notice of Proposed Rulemaking and Order on Reconsideration ahead of its August meeting that seeks to modernize the Commission’s DIRS. Among other things, the Further Notice proposes to streamline and simplify DIRS reporting requirements for wireless service providers and others. It also proposes to eliminate DIRS reporting requirements for resellers and mobile virtual network operators. The accompanying Order clarifies the requirements for outage reporting when the outage occurs right before a DIRS activation, and it maintains requirements to send outage notifications to 911 and 988 special facilities during DIRS activations. The News Release about the FCC’s adoption of the item highlights that the item “will pave the way for reforms” to DIRS so that “its benefits outweigh its burdens.”
Comment Deadlines Established on the FCC’s “Bad Labs” Proposals. The FCC’s Report and Order adopting rules that prohibit the use of any Telecommunications Certification Body, test lab, or laboratory accreditation body owned by, controlled by, or subject to the direction of a “prohibited entity” – i.e., “bad labs” – in the FCC’s equipment authorization process was published in the Federal Register on August 7, 2025. Accordingly, the rules will become effective September 8, 2025, except for those requiring approval by the Office of Management and Budget under the Paperwork Reduction Act. In addition, the FCC’s Further Notice of Proposed Rulemaking seeking comment on further measures to safeguard the integrity of the Commission’s equipment authorization program was published in the Federal Register on July 16, 2025. Accordingly, comments and reply comments on the Further Notice will be due August 15, 2025, and September 15, 2025, respectively.
The FCC Reminds Rip-and-Replace Support Recipients of Their Spending Report Deadline. The FCC’s Wireline Competition Bureau released a Public Notice on July 10, 2025, reminding all rip-and-replace support recipients of their obligation to file their next spending reports with the FCC by August 10, 2025.
Spectrum
The FCC Solicits Comments on Airspan’s Use of Spectrum in the 3 GHz Band. On July 17, 2025, the FCC’s Wireless Telecommunications Bureau and Office of Engineering and Technology released a Public Notice seeking comment on a petition filed by Airspan Networks, Inc. (“Airspan”) that seeks a waiver of the Commission’s out-of-band emission limits for the 3.45 GHz band. Airspan requests a waiver in order to “facilitate the marketing and operation of base station radios that would be operated in the 3.45 GHz and 3.7 GHz Services, either simultaneously or on a stand-alone basis.” Comments and reply comments on the petition are due August 18, 2025, and September 2, 2025, respectively.
The GAO Sends Recommendations to NTIA on Spectrum Sharing. The Government Accountability Office (“GAO”) sent a letter to the National Telecommunications and Information Administration (“NTIA”) on July 14, 2025, to highlight certain “priority recommendations” related to: (i) spectrum; (ii) cybersecurity risks and IT; and (iii) federal broadband programs. With respect to spectrum, in particular, the GAO identified two priority recommendations to improve NTIA’s management of federal spectrum use, both of which relate to a 2021 GAO Report on improving collaboration between the FCC and NTIA. First, to address the increase in demand for spectrum from both federal and non-federal users, the GAO recommends that NTIA establish procedures to help guide the design of spectrum-sharing and potential interference studies intended as U.S. contributions to World Radiocommunication Conference technical meetings. Second, the GAO recommends that NTIA request that the Department of State review and update the General Guidance Document outlining processes for working with other agencies to prepare for international conferences where spectrum regulations are updated.
Legislative Efforts
The House Introduces a Bill That Would Promote Secure and Trusted Telecommunications Infrastructure. On July 17, 2025, Representatives Kim and Keating introduced the Securing Global Telecommunications Act. If enacted, the bill would, among other things, require the State Department to establish a comprehensive strategy to promote secure telecommunications infrastructure around the world. In particular, the strategy would address mobile networks, data centers, 6G, and low-earth orbit satellites, aerostats, and stratospheric balloons. The bill is now in committee.
Privacy Tip #454 – Students Sue Kansas School District Over AI Surveillance Tool
Current and former students at Lawrence High School and Free State High School, located in Lawrence, Kansas, have sued the school district, alleging that its use of an AI surveillance tool violates their privacy.
The allegations revolve around the school district’s use of Gaggle, which is an AI tool that mines the district’s Google Workspace, including Gmail, Drive, and other Google products used by students through the public schools’ network. Gaggle is designed to “flag content it deems a safety risk, such as allusions to self-harm, depression, drug use and violence.”
The plaintiffs are student journalists, artists, and photographers who reported on Gaggle or had their work flagged and removed by the AI tool. They allege that Gaggle could access their notes, thereby allowing access by the district, which they allege is a violation of journalists’ legal protections. They allege that “[s]tudents’ journalism drafts were intercepted before publication, mental health emails to trusted teachers disappeared, and original artwork was seized from school accounts without warning or explanation.”
They further allege that the district’s use of Gaggle is a “sweeping, suspicionless monitoring program” that “violated student rights by flagging and seizing student artwork.” They allege that “Gaggle undermines the mental health goals it attempts to address by intercepting appeals for help students may send to teachers or other trusted adults.”
The lawsuit requests a permanent injunction to stop the use of Gaggle in the district, along with compensatory, nominal, and punitive damages as well as attorney’s fees.
AI tools have their place in today’s business environment, but without careful protocols implemented to protect user privacy, organizations can find themselves in lawsuits that will drain resources and time away from more critical areas of need.
President Trump Signs Debanking Executive Order: Horizontal Reviews for Banks and Credit Unions are Next
Late last year, we predicted that the Trump administration would bring federal action to target de-banking, and on August 7, 2025, President Trump signed a much-anticipated executive order to address the issue. Banks and credit unions should now expect to feel the impact early on in the form of horizontal reviews and inquiries from their banking regulators.
The order announces that the official policy of the Trump Administration is that banks must make decisions “on the basis of individualized, objective, and risk-based analyses,” and that Americans should not be “denied access to financial services because of constitutionally or statutorily protected beliefs, affiliations, or political views.” Additionally, the order sets forth the policy “that politicized or unlawful debanking is not used as a tool to inhibit such beliefs, affiliations, or political views.” Additional sections of the order set out an intent to protect “lawful business activities that the financial service provider disagrees with or disfavors for political reasons.”
Among other things, the order directs federal banking regulators, including the Consumer Financial Protection Bureau (CFPB), the Federal Reserve Board (FRB), the Office of the Comptroller of the Currency (OCC) and the National Credit Union Administration (NCUA) to identify financial entities that may have engaged in the type of debanking that is now contrary to the Administration’s stated official policy. Specifically, the order requires the regulators to identify entities that “have had any past or current, formal or informal, policies or practices that require, encourage, or otherwise influence such financial institution to engage in politicized or unlawful debanking.” This exercise is to be completed within the next 120 days.
Importantly, the phrase “politicized or unlawful debanking” is defined in the executive order as follows:
The term “politicized or unlawful debanking” refers to an act by a bank, savings association, credit union, or other financial services provider to directly or indirectly adversely restrict access to, or adversely modify the conditions of, accounts, loans, or other banking products or financial services of any customer or potential customer on the basis of the customer’s or potential customer’s political or religious beliefs, or on the basis of the customer’s or potential customer’s lawful business activities that the financial service provider disagrees with or disfavors for political reasons.
If politicized or unlawful debanking practices are identified during the upcoming reviews, the federal banking agencies are directed “to take appropriate remedial action,” which may include “levying fines, issuing consent decrees, or imposing other disciplinary measures.” The order specifically cites to section 5 of the Federal Trade Commission Act (15 U.S.C. 45), section 1031 of the Consumer Financial Protection Act (12 U.S.C. 5531), and the Equal Credit Opportunity Act as possible sources of authority for an agency alleging that prior debanking practices violated federal law. This suggests that the government will claim that politicized or unlawful debanking constitutes an unfair act or practice or is unlawful discrimination if based upon an enumerated prohibited basis under the Equal Credit Opportunity Act. That could apply, for example, if action was taken based upon a customer’s religion.
Banks and credit unions should, expect to see horizontal reviews and inquiries from the banking regulators, some of which have been quiet recently on the supervision and enforcement fronts. While past practices cannot retroactively be changed, being prepared for upcoming information requests and getting a better understanding of potential risks from historical policies and practices would be prudent and can mitigate the inevitable stress of an off-cycle and otherwise unanticipated in-depth supervisory review.
Additionally, within 180 days, the federal banking regulators are also directed to “review their current supervisory and complaint data to identify any financial institution that has engaged in unlawful debanking on the basis of religion.” As mentioned above, this could implicate the prohibitions of the Equal Credit Opportunity Act. If any offending entities are unable to ensure compliance, the agencies are instructed to “refer such matters to the Attorney General for an appropriate civil action.” This raises an additional prospect of potential scrutiny for financial entities based upon complaint data and other information previously provided to their regulators.
Financial entities outside the bank and credit union categories should also take note. The executive order extends to “other financial services provider[s]” and directs all member agencies of the Financial Stability Oversight Council to implement the executive order. And “politicized or unlawful debanking,” perhaps counterintuitively, is defined to include restrictions or denials of any financial services – not just loans and bank accounts. All financial entities subject to regulation by one of those agencies should be considering the potential application of the Guaranteeing Fair Banking for All Americans order to their specific situation.
Listen to this post
Federal Jury Finds Against Meta for Collecting Data from Flo Health
On August 1, 2025, a California federal jury found that Meta violated the California Invasion of Privacy Act (CIPA) by collecting data from the Flo Health app without the consent of the individuals who downloaded the app and provided information about their period, ovulation, and pregnancies.
CIPA is California’s wiretap law, and the jury found that Meta effectively “eavesdropped” on Flo app users without their consent. According to the plaintiffs, Flo collected information from Flo users after they completed a survey regarding their pregnancy status, tracking of their period, and other information about their menstrual cycle. The suit alleged that although Flo promised not to disclose user-provided information, it provided Meta, Google, and Flurry access to this information through custom app events sent through software development kits incorporated into the Flo app. This is very standard in websites and apps to track individuals for marketing purposes.
The jury found that the sharing of this data was a violation of CIPA. Damages have not been determined as yet. Flo, Google, and Flurry were also named defendants in the case, but plaintiffs settled with the other three defendants before trial began.
New Updates to CCPA Regulations: California’s Focus on Automated Decisionmaking Technology, Cybersecurity Audits, Risk Assessments, and More
On July 24, 2025, during a public meeting following public comment, the California Privacy Protection Agency (CPPA) Board unanimously approved amendments to the California Consumer Privacy Act (CCPA). These substantial changes include new obligations for businesses subject to the CCPA. Significantly, the updates emphasize CPPA’s new regulatory focus over AI decision-making and cybersecurity in addition to privacy. In addition, the CPPA opted to open the Delete Request and Opt-Out Platform (DROP) regulations for further public comment on its proposed changes. Below is a summary of the key updates:
Automated Decisionmaking Technology
ADMT Defined –The updates provide a new regulatory focus on automated decisionmaking technology (ADMT), which is defined as “any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.” This definition does not cover when such automated technology is used to assist in, but not to entirely substitute, human decisionmaking.
Consumer Rights – Under the new ADMT provisions, businesses must inform consumers of their opt-out and access rights with respect to the business’s use of ADMT to make any significant decisions about the consumer. “Significant decisions” are defined as decisions related to financial or lending services, housing, education opportunities, employment opportunities, or healthcare services.
Pre-Use Notice – Businesses must also provide pre-use notices regarding the use of ADMT. These notices should explain what the ADMT does, consumer rights related to opt-out and access, and a detailed description of how the ADMT works to make a significant decision about the consumer.
Annual Cybersecurity Audits
The CCPA final text introduces an annual cybersecurity audit requirement for businesses that meet a certain threshold. Businesses will be required to conduct annual, independent cybersecurity audits to assess how their cybersecurity program protects consumer personal information from unauthorized access and disclosure. Businesses are required to submit a certificate of completion to the CPPA annually.
Audit Components – Components of a cybersecurity program that fall into the audit’s scope include the business’s cybersecurity measures such as authentication, access controls, inventory management, secure hardware and software configurations, network monitoring, and cybersecurity education. The report must outline, in detail, gaps or weaknesses in the organization’s policies or cybersecurity program components that the auditor deemed to increase the risk of unauthorized access or activity.
Impartiality Requirement – Audits must be performed by an independent and qualified professional. If the auditor is internal to the business, the CCPA requires specific measures to be put in place to ensure the auditor’s impartiality and objectivity.
Repurposing Audits – A cybersecurity audit used for another purpose, such as an audit that uses the NIST Cybersecurity Framework 2.0, may be used for this audit purpose, provided that it meets all of the requirements outlined in the CCPA.
Compliance Timeline – The timeline for completion of the initial cybersecurity audit depends on the business’s revenue for the previous years. All businesses must complete this audit by April 1, 2030, but some will be required to do so by April 1, 2028, depending on annual income.
Pre-Processing Risk Assessments
Under the new regulations, any business that poses a significant risk to consumers’ privacy in processing personal information must conduct a risk assessment before initiating that processing. The goal of a risk assessment is to restrict or prohibit the processing of personal information if the resulting privacy risks to the consumer outweigh the benefits to the business and other stakeholders. Risk assessments must be reviewed and updated once every three years. If there is a material change in processing activity, a business must update its risk assessment as soon as possible, but no later than 45 calendar days from the change.
Broad Definition of Significant Risk – The CCPA outlines several activities that are deemed to present significant risk, including selling or sharing personal information and processing sensitive personal information. This is an expansive definition, because most businesses share personal information with third parties.
Risk Assessment Components – Risk assessments must document a business’s purpose for processing consumer personal information and the benefits to the organization of that processing. Risk assessments must also document the categories of information to be processed. In addition, the risk assessment must also consider the negative impacts of processing to consumers’ privacy. The business must further identify safeguards it plans to implement for the processing, such as encryption and privacy-enhancing technologies.
Compliance Timeline – For risk assessments conducted in 2026 and 2027, businesses must submit an attestation to the CPPA by April 1, 2028. The individual submitting the risk assessment attestation must be a member of the business’s executive management team who is directly responsible for, and has sufficient knowledge of, the business’s risk assessment compliance. Risk assessments must be maintained for as long as the processing continues or five years after completion, whichever is later, and available for inspection by CPPA or the Attorney General.
Insurance
The final CCPA changes also include clarification of the law’s application to insurance companies. Insurers are required to comply with the CCPA for personal information collected outside of an insurance transaction. The final text provides an example whereby if an insurance company collects personal information of website visitors who have not applied for any insurance product or service to tailor personalized advertisements to those users, the insurer must comply with the CCPA with respect to that information. Since most websites use
tracking technologies, insurance companies should assess their compliance with the CCPA promptly.
Recommended Next Steps
The California Office of Administrative Law (OAL) still needs to review and approve these changes. OAL has 30 business days after receiving the final text from the CPPA to do so. However, many industry experts expect that the OAL will only make minor, if any, changes. Businesses should expect the OAL to approve most of this final text. The regulations take effect in 2027, so preparation for these new compliance obligations should be a top priority. CPPA’s next meeting is September 26, 2025, where it is expected to present its annual enforcement report and priorities. For a more in-depth analysis of the new CPPA Regulations, click here.
CISA Releases Malware Analysis Report for Microsoft SharePoint Vulnerabilities
Threat actors continue to exploit ToolShell to gain unauthorized access to on-premises SharePoint servers. On August 6, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a malware analysis report after analyzing six files “including two Dynamic Link-Library (.DLL), one cryptographic key stealer, and three web shells. Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint host system and exfiltrate data.”
The report includes the indicators of compromise and detection signatures to identify malware samples. The report also includes an analysis of YARA Rules, Sigma Rules, ssdeep matches, screenshots, PE Metadata, PE Sections, Packers/Compilers/Cyrptors, Tags and Details.
If your organization has been, or is potentially affected by ToolShell, take advantage of CISA’s analysis and use it to mitigate any potential effect on your company.
New York City Pushes Back Compliance Date of Amended Debt-Collection Rules
On July 28, The New York City Department of Consumer and Worker Protection (DCWP) announced that its amended debt-collection rule, scheduled to take effect on October 1, 2025, has been postponed, leaving the industry in limbo for the third time since the rules were finalized in August 2024. DCWP will set a new effective date with at least three months’ advance notice.
DCWP’s amendments, which sit atop the CFPB’s Regulation F, significantly expand disclosure, language access, and record-retention duties for anyone collecting consumer debt in the five boroughs. While the latest delay offers extra implementation time, the substance of the rule remains unchanged.
Key provisions of the amendments include:
Contact frequency limits. Collectors may not contact or attempt to contact a consumer more than three times in any seven-day period across all channels, unless collecting for multiple non-affiliated creditors.
Opt-in electronic outreach. Email, text, or social-media contact require written, revocable consent and must include a no-cost, one-word opt-out (e.g., “STOP”).
Enhanced validation & verification. A detailed validation notice must be mailed within five days of first contact, and collection must pause upon a consumer dispute or verification request and may not resume until written verification is provided within 45 days.
Time-barred debt safeguards. For debts beyond the statute of limitations, collectors must first send a written notice disclosing the debt is time-barred and wait 14 days before initiating further contact.
Medical-debt credit-reporting ban. Medical debts are prohibited from being furnished to consumer reporting agencies. Disputes on one account extend to related accounts from the same provider within a six-month period.
Three-year record-keeping mandate. Agencies must retain searchable logs of all consumer contacts, disputes, complaints, and call recordings for three years after the last collection activity.
Putting It Into Practice: DCWP’s open-ended postponement gives collectors a brief reprieve, but the compliance lift remains steep. Market participants face a moving target and must keep programs designed to meet the rule’s contact caps, consent mechanics, verification timelines, and record-retention duties.
CFPB Seeks Comment on Proposed Rules to Scale Back Larger Participant Thresholds
Four advance notices of proposed rulemaking scheduled for publication on August 8 will solicit public comment on whether the CFPB should raise the size thresholds that determine which nonbank entities qualify as “larger participants” subject to routine Bureau supervision. The notices address the automobile-financing, international money-transfer, consumer-reporting, and consumer debt-collection markets.
Each of the applicable larger participant rules—adopted between 2012 and 2015 under the Consumer Financial Protection Act—sets a threshold based on origination volume or annual receipts. The CFPB is now considering whether those thresholds may sweep in too many small and midsize firms, thereby diverting limited supervisory resources from the largest market participants.
The Bureau’s analysis shows that a handful of very large entities now dominate each market. To concentrate oversight on those firms, the notices float substantial threshold increases:
Automobile financing. Raise the 10,000-origination bar to 300,000, 550,000, or 1,050,000 loans or leases. At the high end, only five captive lenders would remain under supervision, covering about 42% of originations.
International money transfers. Boost the one-million-transfer test to 10 million, 30 million, or 50 million annual remittances. This would reduce the number of covered providers from 28 to as few as four, while still capturing 61-94% of transfer volume.
Consumer reporting. Align the $7 million-receipt trigger with the Small Business Administration’s $41 million small-business cap, a change that would exclude dozens of regional and specialty bureaus yet keep at least six nationwide players within reach.
Debt collection. Lift the $10 million-receipt threshold to $25 million, $50 million, or $100 million, acknowledging industry consolidation and rising SBA size standards; even at $50 million, the Bureau estimates it would still cover more than 40% of market revenue.
Putting It Into Practice: The CFPB continues to scale back on its supervisory role in consumer protection (previously discussed here and here). Comments on the advance notices will be due 45 days after publication in the Federal Register. We will keep you posted on what develops.
Listen to this post
Tennessee Data Privacy Law (TIPA) Effective July 1: Are You Prepared?
July 1 marked the official enforcement date of the Tennessee Information Protection Act (TIPA), the state’s comprehensive consumer privacy law. Signed into law in 2023, TIPA grants consumers specific rights concerning their personal information and regulates covered businesses and service providers that collect, use, share, or otherwise process consumers’ personal information. With all TIPA provisions now enforceable, it is important for regulated companies to understand the law’s comprehensive requirements.
Covered businesses and organizations
TIPA regulates entities that conduct business in Tennessee or produce products or services targeted to Tennessee residents, exceed $25 million in revenue, and meet one of the below criteria:
Control or process information of 25,000 or more Tennessee consumers per year and derive more than 50% of gross revenue from the sale of personal information; or
Control or process information of at least 175,000 Tennessee consumers during a calendar year.
Consumer Rights
TIPA grants consumers (Tennessee residents acting in a personal context only) the rights to confirm, access, correct, delete, or obtain a copy of their personal information, or opt out of specific uses of their data (such as selling data to third parties, using data for targeted advertising, or profiling consumers in certain instances). Companies must respond to authenticated consumer requests within 45 days, with a possible 45-day extension, and they must establish an appeal process for request denials. Controllers, which TIPA defines as companies that (alone or jointly) determine the purpose and means of processing personal information, must also offer a secure and reliable means for consumers to exercise their rights without requiring consumers to create a new account.
Company Responsibilities
Companies must limit data collection and processing to what is necessary, maintain appropriate data security practices, and avoid discrimination. Companies must provide a clear and accessible privacy notice detailing their practices, and, if selling personal information or using it for targeted advertising, disclose these practices and provide an opt-out option.
Opt-In for Sensitive Personal Information
TIPA prohibits processing sensitive personal information without first obtaining informed consent. Sensitive personal information is defined broadly and includes any personal information that reveals a consumer’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status. Sensitive information also includes any data collected from a known child younger than age 13, precise geolocation data (i.e., within a 1,750-foot radius), and the processing of genetic or biometric data for the purposes of identifying an individual.
Controller-Processor Requirements
Processors must adhere to companies’ instructions and assist them in meeting their obligations, including responding to consumer rights requests and providing necessary information for data protection assessments. Contracts between companies and processors must outline data processing procedures, including confidentiality, data deletion or return, compliance demonstration, assessments, and subcontractor engagement. The determination of whether a person is acting as a company or processor depends on the context and specific processing of personal information.
Data Protection Assessments
Companies must conduct and document data protection assessments for specific data processing activities involving personal information. These assessments must weigh the benefits and risks of processing, with certain factors considered. Assessments apply to processing of personal data created or generated on or after July 1, 2024, and in investigations by the Tennessee attorney general, are to be treated as confidential and exempt from public disclosure without a waiver of attorney-client privilege or work product protection.
Major Similarities to CCPA
TIPA shares many similarities with the California Consumer Privacy Act (CCPA), including:
Similar consumer rights;
Contractual requirements between controllers and processors; and
Requiring data protection assessments for certain processing activities.
Affirmative Defense
TIPA provides for an “affirmative defense” against violations of the law by adhering to a written privacy policy that conforms to the NIST Privacy Framework or comparable standards. The privacy program’s scale and scope must be appropriate based on factors such as business size, activities, personal information sensitivity, available tools, and compliance with other laws. In addition, certifications from the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules and Privacy Recognition for Processors systems may be considered in evaluating the program.
Enforcement
The Tennessee attorney general retains exclusive enforcement authority, and TIPA expressly states that there is no private right of action. The Tennessee attorney general must provide 60 days’ written notice and an opportunity to cure before initiating enforcement action. If the alleged violations are not cured, the Tennessee attorney general may file an action and seek declaratory and/or injunctive relief, civil penalties up to $7,500 for each violation, reasonable attorneys’ fees and investigative costs, and treble damages in the case of a willful or knowing violation.
Exemptions
The law includes numerous exemptions, including:
Government entities;
Financial institutions, their affiliates, and data subject to the Gramm-Leach-Bliley Act (GLBA);
Insurance companies;
Covered entities, business associates, and protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA) and/or the Health Information Technology for Economic and Clinical Health Act (HITECH);
Nonprofit organizations;
Higher education institutions; and
Personal information that is subject to other laws, such as the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), and the Fair Credit Reporting Act (FCRA).
TIPA is just one of seven laws slated to go into effect this year. With three more laws going into effect next year, companies should review and determine whether laws such as TIPA apply to them and take steps to comply now that the law is in effect.
Listen to this post
Washington Supreme Court Increases Risks of Lawsuits for False or Misleading Email Subject Lines
The Supreme Court of Washington recently clarified the scope of violative practices under the Washington Consumer Electronic Mail Act (CEMA). In Brown v. Old Navy, LLC1, the Court ruled 5-4 that CEMA prohibits advertisers from disseminating any false or misleading information in the subject line of a commercial email, not just information that is false or misleading about the nature of the communication. In the wake of this decision, plaintiffs have filed multiple lawsuits seeking to expand traditionally limited liability for the content of commercial emails.
Analysis
In Brown v. Old Navy, LLC, the plaintiffs asserted that the defendant impermissibly sent emails with false or misleading information, in violation of CEMA. The plaintiffs alleged that the defendant, for example, announced that a 50%off promotion was ending even though the retailer continued to offer the promotion in the days following the initial e-mail.2 Other examples included e-mails that announced time-limited promotions (e.g. today only or three days only) that were extended beyond the specified time limit.3 The case was before the Washington Supreme Court on a question certified by a federal court in the Western District of Washington, in which the case against the defendant is pending.4
CEMA prohibits sending a commercial e-mail that “[c]ontains false or misleading information in the subject line.”5 The defendant argued for the same outcome as in Chen v. Sur La Table, where the Western District of Washington recently held that subsection (1)(b) “specifically prohibits false and misleading information as to the nature of the email, i.e. that the email is an advertisement.”6 Essentially, the defendant in Brown sought to have the Washington Supreme Court adopt the standard that federal courts have applied to claims under the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003 (CAN-SPAM), which has been interpreted to prohibit only false and misleading information as to the nature of the email (i.e., that it is commercial in nature).7 The plaintiffs argued the prohibition was not limited to information as to the commercial nature of the email.8 Instead, the plaintiffs asserted that any false and misleading information was prohibited by CEMA.9
Because the outcome of this case required statutory interpretation that would “have far-reaching effects” on those subject to Washington law, the Western District of Washington certified the following question to the Washington Supreme Court: “Does RCW 19.190.020(1)(b) prohibit the transmission of a commercial email with a subject line containing any false or misleading information, or is the prohibition limited to subject lines containing false or misleading information about the commercial nature of the email message?”10
The court ultimately sided with the plaintiffs, finding that a subject line does not need to deceive consumers about the subject or purpose of the email but rather merely needs to contain false or misleading information.11
The court was careful to limit the scope of its holding, however. It clarified that promotions that constitute statements of opinion, not of fact, are not “misrepresentations” actionable under CEMA, specifically stating that a “Best Deals of the Year” promotion would not be actionable.12 The court further held that “subjective, unverifiable claims about a product or service are ‘mere puffery’” and that “instances of mere puffery are not prohibited by [CEMA].”13
The Western District of Washington will still need to resolve two key questions that the Brown decision did not touch: (a) whether a plaintiff bringing suit under CEMA needs to establish traditional elements of fraud liability, such as scienter, reliance and damages; and (b) if not, whether CEMA is preempted by CAN-SPAM’s express preemption provision, which bars any state statutes that purport to impose liability for false statements in emails other than statutes prohibiting “falsity or deception.” Both of these questions are before the Western District on the defendant’s motion to dismiss.
Since the Washington Supreme Court’s decision, plaintiffs have filed a number of putative class actions under CEMA alleging the use of false or misleading information in subject lines. Most of these cite to subject lines supposedly creating “false urgency” as to the duration of promotions, or subject lines that tout specific discounts (e.g., 50% off) that are only available on limited categories of products. These cases are in the very early stages of litigation. How courts will evaluate CEMA claims in particular contexts remains to be seen.
Implications for Advertisers
The opinion in Brown v. Old Navy, LLC, emphasizes the importance of ensuring material in advertising is not false or misleading. A violation of CEMA’s e-mail regulations is a per se violation of the Consumer Protection Act.14 CEMA sets statutory damages of US$500 for sending Washington residents commercial e-mails that violate its regulations.15 CEMA’s US$500 statutory damages does not require a showing of actual damages, as is incurred per recipient.16 Thus, there is real financial risk in failing to adhere to the newly-clarified CEMA parameters.
Conclusion
The Brown v. Old Navy decision underscores the heightened risks of CEMA lawsuits for advertisers who fail to adhere to the law’s false and misleading prohibitions. By implementing the recommended practices, advertisers can better protect themselves from legal challenges and maintain compliance with CEMA. As the legal landscape continues to evolve, staying informed and proactive is essential for minimizing risks and safeguarding business operations. We will continue to monitor court decisions as the CEMA provisions are interpreted in litigation, and are available to answer any questions you might have.
Footnotes
1 Brown v. Old Navy, LLC, 567 P.3d 38 (Wash. 2025) (opinion published April 17, 2025).
2 Id. at 42.
3 Id.
4 Id. (citing Brown v. Old Navy, LLC, 2:23-CV-00781-JHC, 2023 WL 12071921, at *1 (W.D. Wash. Nov. 29, 2023))
5 RCW 19.190.020(1)(b).
6 Brown v. Old Navy, 567 P.3d at 42 (citing Chen v. Sur La Table, Inc., 655 F. Supp. 3d 1082, 1092 (W.D. Wash. 2023)) (emphasis added by citing Court).
7 Id. at 46.
8 Id. at 44.
9 Id.
10 Brown v. Old Navy, LLC, 2:23-CV-00781-JHC, 2023 WL 12071921, at *1 (W.D. Wash. Nov. 29, 2023) (emphasis in original).
11 Brown v. Old Navy, 567 P.3d at 42.
12 Id. at 47.
13 Id.
14 See RCW 19.190.030(1), .100; ch. 19.86 RCW.
15 RCW 19.190.040.
16 Brown v. Old Navy, 567 P.3d at 42.
What to Watch: WHOOP Warning Letter
On July 14, the U.S. Food and Drug Administration (“FDA” or the “Agency”) issued a warning letter (the “Warning Letter”) to WHOOP, Inc. (“WHOOP”), rejecting WHOOP’s claim that its wearable “Blood Pressure Insights” product qualifies as an unregulated wellness product[1] and alleging, instead, that the product qualifies as a “device”[2] under the Food, Drug, and Cosmetics Act (“FDCA”) (i.e., is intended for use in the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition).[3] FDA concludes, therefore, that the product is misbranded and adulterated, as WHOOP is currently marketing the product with a cleared 510(k) notification or approved premarket application (“PMA”).
In the Warning Letter, FDA points to evidence that allegedly shows that the product is intended to measure blood pressure, which FDA says is “inherently associated with the diagnosis of hypo- and hypertension:”
Product claims on WHOOP’s website, which describe the product as providing “daily systolic and diastolic blood pressure estimations, offering members a new way to understand how blood pressure affects their performance and well-being” and “delivering medical-grade health & performance insights;”
Condition statements on WHOOP’s website, which state that “the impact of blood pressure on sleep, recovery, and performance are not well understood or widely studied” but “[h]igher blood pressure may be an indicator of poor sleep;”
Product design, which includes green, yellow, and orange color-coding to indicate a target blood pressure range; and
Other product clearances (i.e., other blood pressure measurements products that don’t explicitly reference hypo- or hypertension in their labeling or otherwise market their products under valid 510(k) clearances).
FDA clarifies that the presence of disclaimers and the fact that the product provides a daily blood pressure range and midpoint measurement instead of a real-time reading are not sufficient to render the product an unregulated wellness product because FDA does not consider the product “low risk.” According to FDA, providing blood pressure measurements is not a low-risk function because “high blood pressure is the most prevalent modifiable risk factor for cardiovascular disease” and “[a]n erroneously low or high blood pressure reading can have significant consequences for the user,” including “stroke, heart attack, heart failure, kidney failure, cognitive decline, and premature death.” As FDA clarifies, the risk is especially heightened for a disease like hypertensions that often presents without physical symptoms.
Notably, FDA issued the Warning Letter only about two months after its first engagement with WHOOP, signaling an apparent increased enforcement urgency in this area, especially for wearable, physiological measurement products that FDA deems high risk. Manufacturers of such products who wish to avoid regulation should take care to design product outputs and draft marketing/labeling claims in alignment with FDA’s guidance and historical enforcement on unregulated wellness products.
Interestingly, however, WHOOP is publicly standing its ground. The day after FDA published the Warning Letter, WHOOP fired back with a press release defending its position that its “Blood Pressure Insights” product is an unregulated wellness product and not a regulated device.[4] Although we haven’t yet heard of a rebuttal by FDA, it will be interesting to see whether the Agency chooses to make an example of WHOOP or, perhaps, diffuse the situation through increased industry education (after all, FDA did just launch its so-called “Regulatory Accelerator” intended to help guide developers of digital health products through the relatively complex regulatory framework). Either way, this is definitely a space to watch.
FOOTNOTES
[1] Under the FDCA, a software function is not a device if it is intended for maintaining or encouraging a healthy lifestyle and is unrelated to the diagnosis, cure, mitigation, prevention, or treatment of a disease or condition. See 21 USC 360j(o); FDA Guidance, General Wellness: Policy for Low Risk Devices.
[2] Specifically, a non-invasive blood pressure measurement system regulated under 21 CFR § 870.1130.
[3] 21 USC 321(h).
[4] See Press Release, Why WHOOP Stands Behind Blood Pressure Insights, WHOOP, Inc. (July 15, 2025).
Congress Passes Homebuyer Lead Reform Bill, Limiting Mortgage Lead Sharing Under FCRA
On August 2, the U.S. Senate passed the Homebuyers Privacy Protection Act (H.R. 2808) by unanimous consent, which amends the Fair Credit Reporting Act (FCRA) to restrict consumer reporting agencies from sharing “trigger leads” generated in connection with residential mortgage credit inquiries. The bill now awaits the President’s signature and would take effect 180 days after enactment.
Trigger leads are generated when a consumer applies for residential mortgage credit, prompting credit bureaus to share limited prescreened data with other lenders. While originally intended to encourage competition through firm offers of credit, trigger leads have drawn criticism from lawmakers and consumer advocates for enabling a surge of unsolicited calls, texts, and emails following mortgage applications. The bill curbs this practice by sharply limiting who can access trigger leads and under what conditions.
Specifically, the bill’s provisions include:
Restrictions on trigger leads. A consumer reporting agency may furnish a mortgage-related trigger lead only if the recipient: (1) has obtained the consumer’s documented authorization to access their report; (2) originated the consumer’s current residential mortgage loan; (3) services the consumer’s current residential mortgage loan; or (4) is a depository institution or credit union that holds a current account for the consumer.
Preservation of firm-offer standard. Every trigger-lead recipient must continue to make a firm offer of credit, consistent with the existing FCRA safeguard against purely speculative solicitations.
GAO study of text-message marketing. The Comptroller General must report to Congress within a year on the effectiveness and consumer impact of trigger-lead solicitations delivered by text.
Putting It Into Practice: If signed, the Act will start a 180-day countdown to compliance—meaning credit bureaus, mortgage lenders, and lead generators should review their prescreening practices and revise data-sharing protocols to align with the new statutory restrictions. Financial institutions should also prepare to document authorization flows, limit data access to only eligible entities, and maintain firm offer compliance under FCRA.
Listen to the post here