Texas Legislature Amends Data Broker Law to Broaden Definition, Arguably Narrow Applicability Thresholds
In late June, Governor Abbott signed into law SB 2121 and SB 1343, two bills that amend the existing Texas Data Broker Act. The amendments broaden the definition of “data broker” and alter the applicability thresholds (SB 2121), and provide enhanced notice and registration statement requirements regarding how consumers can exercise their privacy rights (SB 1343). As we discuss below, companies that previously assessed and decided that Texas’ data broker law may not apply to them should likely review and re-evaluate this decision in view of these amendments, which become effective September 1, 2025.
Expanded “Data Broker” Definition
To fall under the scope of the data broker law, entities must meet the definition of “data broker” and one of two applicability criteria that are tied to revenue derived from processing or transferring personal data not collected directly from individuals. SB 2121 broadens the definition of “data broker” substantially to mean a “business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” The italicized text replaces the previous, much narrower text that pulled in only entities “whose principle source of revenue is derived from the collecting, processing, and transferring” of personal data that the entity did not collect directly. This new definition likely means that any business entity which collects personal data from a source other than the individual – the vast majority of companies – may meet the definition of data broker.
Narrowed Applicability Thresholds
While the definition has been broadened, the applicability provisions have arguably been narrowed to require deriving revenue “directly” from processing or transferring personal data not collected directly from individuals. Specifically, in order for the law to apply, an entity that meets the definition of data broker must either derive more than 50 percent of its revenue directly from collecting or transferring personal data that it did not collect directly from individuals, OR derive any amount of revenue directly from processing or transferring the personal data of more than 50,000 individuals that the entity did not collect directly from individuals. The previous language of this section did not require revenue to be “directly” derived from such activities and thus arguably marks a narrowing of the applicability thresholds: “this chapter applies only to a data broker that, in a 12-month period, derives: (1) more than 50 percent of the data broker’s revenue directly from processing or transferring personal data that the data broker did not collected by the data broker collect directly from individuals to whom the data pertains; or (2) revenue directly from processing or transferring the personal data of more than 50,000 individuals that the data broker did not collected by the data broker collect directly from the individuals to whom the data pertains.” Notably, “directly” is not defined in the law and there is no legislative history discussing or indicating the legislature’s intent as to the term.
Of course, there are likely many use cases where revenue is more arguably “directly” generated from collection or transferring of personal data. On the other hand, even in data-intensive industries, like advertising technology, there are likely viable arguments that revenue is not being derived directly from the collection or processing of personal data but rather from the provision of services or success of campaigns. In any event, companies in many industries will likely have to make risk-based decisions regarding the applicability of this law as amended and whether to register as a data broker in Texas.
Changes to Registration and Notice Requirements
The Texas Data Broker law requires data brokers that maintain an internet website or mobile application to provide a notice that, among other things, states that the entity is a data broker. SB 1343 amends the law to require data brokers to also include in the notice how a consumer can “exercise any consumer rights the consumer may have under [the Texas Data Security and Privacy Act (TDSPA)].” Most companies that are in compliance with the TDSPA should already have such information in their online privacy notice. The amendment also now requires, in a data broker’s registration statement, inclusion of “a link to a page on the data broker’s Internet website that provides consumers with specific instructions, which must be prominently displayed, on how to exercise their consumer rights under [the TDSPA], and any other applicable data privacy rights under [the TDSPA].” Companies seemingly could seemingly comply with this section by providing a deep link to the section of their privacy notice which has information on exercising consumer privacy rights. Alternatively, data brokers could create a separate webpage with the required information and provide a link to such webpage.
Other State Data Broker Laws
In addition to Texas, four other states – California, Nevada, Oregon, and Vermont – also have data broker laws in place with specific obligations, including registration (excluding Nevada) and, as to some, processing consumer rights requests. See below for a handy chart that includes certain details regarding these states’ data broker laws.
As Privacy World readers may know, California amended its data broker law through the Delete Act in 2023, with significant changes that come into effect over the course of several years through 2028 (see our blog post for more details). The California Privacy Protection Agency is close to completing rulemaking under the Delete Act, and its proposed regulations would add further complexity and compliance burdens to businesses that qualify as data brokers in California, including most notably the processing of deletion and opt-out requests through the Deletion Request and Opt-Out Platform – or DROP – which is the subject of the CPPA’s forthcoming regulations. The CPPA recently announced a board meeting that will take place on July 24, during which the CPPA Board is likely to vote to approve the proposed regulations. As of the date of this post, the CPPA has not provided any Meeting Records, such as a proposed final draft of the regulations.
Stay tuned to Privacy World for more on this and other pressing topics.
State Data Broker Laws
State
Registration requirement
Necessary to be registered to do business in state to register as data broker
Consumer rights
Specific Notice Obligations/ Privacy Policy Content
Timing of Registration
California
Yes
No
Yes
Yes
Between January 1 and January 31 following each year in which entity meets data broker definition. Must renew registration annually.
Nevada
No
N/A
Yes
No
No registration requirement
Oregon
Yes
Yes
Yes (seemingly optional)
Unclear, may be needed for explaining consumer rights obligations
Must register prior to collecting, selling or licensing brokered personal data within Oregon. Registration valid until December 31 of the year in which approved, after which need to renew.
Texas
Yes
No
No (but requires notice of rights under Texas Data Security and Privacy Act)
Yes
Before conducting business in Texas, a data broker must register. Expires on first anniversary of issuance date, after which must renew
Vermont
Yes
No
Yes (seemingly optional)
Unclear, may be needed for explaining consumer rights obligations
Between January 1st and January 31st following each calendar year in which meet data broker definition. Must renew registration annually.
OCR Reaches HIPAA Settlement with Behavioral Health Care Provider Over Alleged HIPAA Security Rule Violations
On July 7, 2025, the Department of Health and Human Services’ (“HHS’”) Office for Civil Rights (“OCR”) announced a HIPAA enforcement action against Deer Oaks, a health care provider of psychological and psychiatric services to residents of long-term care and assisted living facilities. The settlement follows two separate incidents involving the exposure of electronic protected health information (“ePHI”) and highlights OCR’s continued emphasis on the importance of conducting risk analyses as required by the HIPAA Security Rule.
OCR launched its investigation in May 2023 after receiving a complaint alleging that Deer Oaks had impermissibly disclosed ePHI by making patient discharge summaries publicly accessible online. OCR confirmed that ePHI was inadvertently exposed due to a coding error in a now-defunct online portal pilot. The summaries were indexed by search engines and remained accessible until at least May 19, 2023, affecting the data of 35 individuals.
OCR expanded its investigation in July 2024, after a ransomware attack against the company that occurred in August 2023. Deer Oaks reported the breach to HHS, notified the media and issued notifications to over 171,000 affected individuals.
OCR concluded that Deer Oaks failed to conduct an accurate and thorough risk analysis, in violation of the HIPAA Security Rule. To resolve the matter, Deer Oaks agreed to pay $225,000 and implement a two-year corrective action plan that requires Deer Oaks to:
conduct and annually update its HIPAA risk analyses;
develop and implement a risk management plan to address identified vulnerabilities;
maintain and revise HIPAA-compliant policies and procedures; and
provide annual workforce training on HIPAA requirements.
This settlement serves as another reminder that OCR expects regulated entities to comply with the HIPAA Security Rule and proactively identify and address risks to ePHI, particularly as cyber threats to ePHI grow more sophisticated.
Mid-Year Report for State Consumer Privacy Laws
Now that we have passed the halfway mark in 2025, we are taking a look back at significant developments that have already occurred this year in the consumer data privacy landscape. Five more states’ comprehensive privacy laws went into effect, and several states enacted noteworthy amendments to their existing statutes.
Given the shifting environment, particularly as different states introduce new applicability thresholds and require different treatment for specific types of protected consumer data, we encourage any business collecting or processing personal data from consumers to monitor which state data laws do (or will) apply to them and understand their obligations within each state.
Laws Taking Effect in 2025
Several state privacy laws passed in previous years took effect at the beginning of 2025, and a few additional comprehensive data privacy statutes are set to go into effect in the coming months. To date, there is little or no public enforcement of these new laws by state attorneys general, which mirrors the pattern of enforcement in states with older laws (for instance, the California Privacy Protection Agency announced its first settlement under the California Consumer Privacy Act this year, nearly three years after the law went into effect).
The following table details which laws went into effect or will go into effect this year. In the rightmost column, please find links to articles published by the Mintz team providing in depth summary of each law’s applicability thresholds, consumer rights framework, business requirements, and more.
Table 1: Newly Effective Laws
State/Data Privacy Statute
Effective Date
Links to Mintz Articles
Delaware Personal Data Privacy Act
January 1, 2025
Delaware’s Consumer Privacy Law is Right Around the Corner
Iowa Consumer Data Protection Act
January 1, 2025
Just Around the Corner, Iowa’s Consumer Privacy Law Taking Effect
Nebraska Data Privacy Act
January 1, 2025
Nebraska’s Consumer Privacy Law Takes Effect Soon and Targets Businesses Selling Personal Data
New Hampshire Data Privacy Act
January 1, 2025
Live Free and Protect: New Hampshire Joins the Growing List of States to Adopt a Comprehensive Data Privacy Law in 2024
New Jersey Data Privacy Act
January 15, 2025*
New Jersey Adopts a Comprehensive Data Privacy Law
Tennessee Information Protection Act
July 1, 2025
Tennessee’s Information Protection Act Gets Us Thinking About NIST(y) Safe Harbors
Minnesota Consumer Data Privacy Act
July 31, 2025
Minnesota’s Consumer Privacy Law Takes Aim at Profiling and Takes Effect Soon
Maryland Online Data Privacy Act
October 1, 2025
Maryland Enacts Sweeping Privacy Reform
*The New Jersey Division of Consumer Affairs recently announced proposed regulatory rules intended to implement further the consumer rights established within the NJDPA. Consumers can provide public comment on the rules until August 1, 2025, and publication of a Notice of Adoption is expected sometime in 2026.
Recent Amendments
Several states with existing consumer privacy laws have implemented new amendments this year, which will become effective in the coming months.
Montana’s comprehensive amendment
The most sweeping amendment comes from Montana, which adjusts applicability thresholds and exemptions, changes requirements for responding to consumer requests, requires additional opt-out capabilities, and builds out additional obligations for privacy notices.
Effective October 1, 2025, the applicability threshold bar for Montana will be lowered to cover persons or businesses which control or process the personal data of 25,000 or more consumers (replacing current threshold of 50,000 or more consumers). And, for an entity which earns more than 25% of its gross revenue from sale of personal data, the threshold will be decreased from 25,000 or more consumers to 15,000 or more consumers. This will mark the lowest applicability threshold of any state with a comprehensive consumer privacy statute and demonstrates intent by Montana’s state lawmakers to cast a wide net with its amended law.
Under the amended law, nonprofits as a general category are no longer exempt. Instead, only nonprofits established with the purpose of detecting and preventing insurance fraud are exempt from the law. Montana’s amendment also enhances requirements for privacy notices. Businesses must now provide a “clear and conspicuous” method for consumers to opt out of the sale of their personal data or processing of that personal data for targeted advertising, and other requirements are aimed at making sure businesses provide an easily accessible and comprehensible privacy notice providing clear explanation of rights available to Montana consumers.
The amendment makes additional changes regarding disclosure of information in response to consumer data subject requests, it clarifies what constitutes a heightened risk of harm to minors in connection with processing data of minors under 18, and it expands enforcement and investigative tools available to Montana’s attorney general.
Other State Amendments
Other state amendments to consumer privacy statutes were more targeted: Oregon passed an amendment in June that restricts the selling of personal data if the information can accurately identify a person or their personal device’s past or present location within a 1,750 foot radius, or if the business has actual knowledge that, or willfully disregards whether, the consumer is under 16 years of age. Those changes will become effective on January 1, 2026.
Colorado also focused on geolocation data in a June amendment, changing its consumer privacy statute to include precise geolocation data (defined in part to capture data that identifies a person within a 1,850 foot radius) as part of its definition of “sensitive data,” and providing that a controller cannot process or sell a consumer’s sensitive data without first getting consent. This change became effective June 3, 2025.
Utah amended its Utah Consumer Privacy Act (UCPA) by establishing that, in addition to already existing consumer rights with respect to personal (e.g., the right of access, the right of deletion, the right to obtain copies, and the right to opt out of processing), a consumer has the right to request a controller correct inaccuracies with personal data. Within the same bill, Utah also focused on social media rights covered by its Digital Choice Act, establishing that personal data, as defined by the UCPA, also includes a social media user’s “social graph”, meaning a user’s social connections, content, and responses between a user and other users, and a consumer has a right to request this personal data from a social media service pursuant to rights under the UCPA. These changes become effective on July 1, 2026.
Looking ahead
As of this writing, 20 states have passed comprehensive consumer privacy laws and several others have passed narrowly-tailored acts targeting specific rights or industries. Many other states have recently introduced or progressed comprehensive bills in their respective legislatures, such as Illinois, Maine, Massachusetts, Michigan, New York, North Carolina, Oklahoma, Pennsylvania, and Vermont. Notably, 2025 has not yet seen any omnibus privacy law move out of legislative consideration to a governor’s desk for signature. This is a departure from the trend we saw at this time last year, when seven states had enacted comprehensive state privacy laws in the first half of 2024. We will continue to watch this space and provide additional updates as state legislatures wind down their 2025 session.
CPPA to Hold Board Meeting on Proposed CCPA Regulations and DROP Requirements
The California Privacy Protection Agency (“CPPA”) Board will hold a board meeting on July 24, 2025, at 9:00 am PDT. The public is invited to attend the meeting in person or virtually. The agenda for the meeting includes discussion and possible action on (1) proposed CCPA regulations regarding automated decisionmaking technology, risk assessments, cybersecurity audits, insurance and updates to existing regulations and (2) proposed implementing regulations for the Delete Request and Opt-Out Platform (“DROP”) under the California Delete Act. The agenda also includes a legislative update and CPPA positions on pending legislation.
Ninth Circuit Upholds Converse’s Win in CIPA Chat Case: What the Gutierrez v. Converse Decision Means for Online Businesses
Introduction
The intersection of digital customer service tools and privacy law continues to generate high-stakes litigation, especially in California, where the California Invasion of Privacy Act (“CIPA”) has become a frequent basis for lawsuits against companies using website chat features, pixels, and other kinds of tracking technology. In the latest development, the Ninth Circuit Court of Appeals issued an unpublished opinion in Gutierrez v. Converse Inc., affirming summary judgment in favor of Converse. The decision provides important guidance on the evidentiary standards required in CIPA cases involving internet-based communications, while leaving open key questions about the statute’s reach in the digital age.
District Court Proceedings: The Scope of CIPA and Online Chat
The underlying lawsuit arose from Converse’s use of an online customer service chat feature, which was provided by Salesforce, and allowed website visitors to communicate directly with Converse customer service agents. Plaintiff Nora Gutierrez claimed that these online chat communications were intercepted in violation of CIPA Section 631(a), a statute originally designed to protect the privacy of telephone and telegraph communications.
Converse moved for summary judgment, arguing that the online chat feature did not implicate the types of communications covered by CIPA’s first clause, which targets unauthorized connections to “telegraph or telephone wire, line, cable, or instrument.” The district court agreed, holding that internet-based chat messages are not analogous to traditional telephone communications as contemplated by the statute. The Court also found that the third-party chat provider, Salesforce, did not engage in eavesdropping as defined by CIPA’s second clause: messages were encrypted in transit and stored behind password protection, and there was no evidence that Salesforce “willfully and without consent” read or attempted to read the contents of any communication. As a result, the Court granted summary judgment for Converse on all CIPA claims.
The Ninth Circuit’s Opinion: Affirming on Evidentiary Grounds
On appeal, the Ninth Circuit affirmed the district court’s decision, focusing on the plaintiff’s failure to meet her evidentiary burden under CIPA Section 631(a). The Ninth Circuit addressed claims under three key clauses of the statute:
The first clause, addressing wiretapping, prohibits intentionally tapping or making any unauthorized connection with any telegraph or telephone wire, line, cable, or instrument.
The second clause, addressing eavesdropping, prohibits willfully reading or attempting to read or learn the contents or meaning of a message in transit over such wires, lines, or cables.
The fourth clause, providing for secondary liability, prohibits aiding, agreeing with, employing, or conspiring with any person to do any of the acts prohibited by the first three clauses.
The Ninth Circuit found that Gutierrez failed to present evidence from which a reasonable jury could conclude that Salesforce made any unauthorized connection to a telephone wire or instrument, or that it read or attempted to read the contents of any message in transit. The Court also found no evidence to support a claim that Converse aided or abetted any such violation. In short, the plaintiff did not meet her evidentiary burden to create a triable issue of fact under any of the relevant CIPA clauses.
Crucially, the Ninth Circuit did not reach the broader legal question of whether CIPA Section 631(a) applies at all to internet-based communications like website chat features. This means that, in a future case with different facts or a more developed record, the question of the first clause of CIPA’s application to internet communications could be revisited.
In a separate concurrence, Judge Bybee argued that the Court should have gone further and held as a matter of law that CIPA Section 631(a)’s first clause does not apply to Internet communications at all. He pointed to the statute’s text, legislative history, and the weight of district court authority, all of which support the view that the first clause is limited to traditional telephony and does not reach modern internet-based chat. Judge Bybee’s concurrence signals a willingness among some jurists to resolve these cases on statutory interpretation grounds, rather than on the sufficiency of the evidence.
Implications for Businesses: Practical Advice
Although the Ninth Circuit’s opinion is unpublished, it is likely to be persuasive in future cases involving similar facts. The decision underscores the importance of the evidentiary burden in CIPA litigation: plaintiffs must present concrete evidence that a third-party provider actually intercepted, read, or attempted to read the contents of communications in real time, not merely that such interception was possible.
For businesses, the Gutierrez decision underscores several practical points. First, the case demonstrates the value of documenting privacy and security practices. Businesses should be prepared to show, with evidence, that their systems and vendors do not access or use the contents of user communications without consent.
Second, the decision serves as a reminder that the legal landscape regarding CIPA’s application to Internet-based communications remains unsettled at the appellate level. Businesses should continue to monitor legal developments in this area and consult with counsel regarding compliance strategies.
Finally, even though the current evidentiary bar is high for plaintiffs, companies should not become complacent. Clear and conspicuous user disclosures and consent mechanisms remain a best practice to mitigate litigation risk, especially as courts and legislatures continue to grapple with the scope of privacy protections in the digital age.
Conclusion
The Ninth Circuit’s decision in Gutierrez v. Converse provides some comfort for businesses using online chat features and other tracking technology, as it highlights the high evidentiary bar plaintiffs must clear to prevail on CIPA claims involving internet-based communications. However, the Court’s narrow approach leaves open the possibility of future challenges. Businesses should remain vigilant, ensure robust privacy and security practices, and stay abreast of ongoing legal developments in this rapidly evolving area.
Consumer Compass Newsletter- July 2025
Implied Preemption Following Davidson v. Sprout Foods, Inc.
In Davidson v. Sprout Foods, Inc., 106 F.4th 842 (9th Cir. 2024), the Ninth Circuit permitted claims under the Sherman Law, California’s analogue to the federal Food, Drug, and Cosmetic Act (FDCA). Plaintiffs alleged the defendant produced pouches of baby food with labels on the front of the package conspicuously stating the amount of nutrients and brought claims under California’s Unfair Competition Law (UCL) for violations of the Sherman Law. The District Court for the Northern District of California dismissed the claim, holding it was impliedly preempted because the state law claim was derived from the FDCA, which could only be enforced by the federal government.
On appeal, the Ninth Circuit reversed. A divided Ninth Circuit panel held that plaintiffs’ state law food-labeling claims seeking to privately enforce the Sherman Law were not impliedly preempted under Buckman Co. v. Plaintiffs’ Legal Comm., 531 U.S. 341 (2001), because plaintiffs were claiming violations of the Sherman Law, not the federal FDCA. The court held that the FDCA does not preempt claims for violations of parallel state law duties. The Supreme Court denied a petition for writ of certiorari.
In the wake of the Ninth Circuit’s decision, a number of cases within the circuit have followed the precedent set by Davidson, holding that state law food-labeling claims under the Sherman Law were not impliedly preempted by the FDCA.1 Davidson—which is in conflict with the holdings of several other circuits—has not been followed by courts outside the Ninth Circuit. See, e.g., DiCroce v. McNeil Nutritionals, LLC, 82 F.4th 35, 41 (1st Cir. 2023), cert. denied, 144 S. Ct. 1382, 218 L. Ed. 2d 443 (2024) (affirming dismissal and holding federal law preempts state law claims based on Massachusetts state law that specifically incorporated FDCA food labeling regulations).
SCOTUS Class Action Cases | Spring 2025
Lackey v. Stinnie, 145 S. Ct. 659 (2025)
Award of preliminary injunction did not render plaintiffs “prevailing part[ies]” eligible for attorney’s fees under 42 U.S.C. § 1988(b). Virginia drivers whose licenses were suspended due to their failure to pay court fines brought a class action suit against the commissioner of the Virginia Department of Motor Vehicles under 42 U.S.C. § 1983, arguing that the Virginia statute requiring suspension of their licenses was unconstitutional. The district court preliminarily enjoined the commissioner from enforcing the statute. But before the case reached final judgment, the Virginia General Assembly repealed the challenged law, rendering the action moot. The question presented to the Supreme Court was whether the drivers were “prevailing part[ies]” who qualify for an award of attorney’s fees under § 1988(b).
The Supreme Court held that, because the drivers gained only preliminary injunctive relief before the action became moot, they do not qualify as “prevailing part[ies]” eligible for attorney’s fees under § 1988(b). The Court reasoned that “[i]n awarding preliminary injunctions, courts determine if a plaintiff is likely to succeed on the merits—along with the risk of irreparable harm, the balance of equities, and the public interest,” and because preliminary injunctions do not conclusively resolve the rights of parties on the merits, they do not confer “prevailing party” status. The Supreme Court also explained that this conclusion served the interests of judicial economy by reducing the risk of “a second major litigation” over attorney’s fees.
Royal Canin U.S.A., Inc. v. Wullschleger, 604 U.S. 22, 145 S. Ct. 41 (2025)
Post-removal amendment can divest a federal court of jurisdiction.
A consumer brought a putative class action in Missouri state court against manufacturer of prescription dog food, alleging violations of the Federal Food, Drug, and Cosmetic Act (FDCA), Missouri Merchandising Practices Act (MMPA), and state antitrust law. The manufacturer removed the case, and the district court remanded to state court. On the manufacturer’s petition for review, the Eighth Circuit vacated, finding that, although the consumer did not plead independent claims under FDCA, federal-question jurisdiction existed because the meaning of relevant FDCA provisions was thoroughly embedded in, and integral to, success of the consumer’s state-law claims. The consumer then amended, so the complaint no longer mentioned or asserted claims under the FDCA, and then requested remand to state court. After denying remand, the district court dismissed the complaint on the merits. The consumer appealed, and the Eighth Circuit vacated and ordered remand to state court. The Supreme Court granted certiorari to resolve a circuit split regarding whether a post-removal amendment can divest a federal court of jurisdiction.
In a unanimous opinion, the Supreme Court held that the post-removal amendment of the complaint to remove all federal questions deprived the district court of supplemental jurisdiction over remaining state-law claims. The Court held that with the loss of federal-question jurisdiction, a federal court loses its supplemental jurisdiction over the state-law claims.
HHS and FDA Announce Intention to Phase Out All Synthetic Food Dyes; Approve Three ‘Natural’ Food Dyes
On April 22, 2025, the U.S. Dept. of Health and Human Services (HHS) and the U.S. Food and Drug Administration (FDA) held a press conference to announce a series of actions to “phase out” petroleum-based synthetic dyes used in food. Those actions related to food dyes include the following:
Initiating the process to revoke authorization for two synthetic food dyes—Citrus Red No. 2 and Orange B—in the coming months.
Working with industry to eliminate six additional synthetic food dyes—FD&C Green No. 3, FD&C Red No. 40, FD&C Yellow No. 5, FD&C Yellow No. 6, FD&C Blue No. 1, and FD&C Blue No. 2—from the food supply by the end of 2026.
Authorizing new natural color additives, while accelerating the review and approval of others.
Requesting food companies to remove FD&C Red No. 3 sooner than the current 2027-2028 deadline.
Following the April 2025 press conference, the FDA announced May 9, 2025, that it approved three “natural” color additive petitions for foods. The approved color additive petitions include the following:
Galdieria extract blue, a blue color derived from a form of red algae. The FDA approved its use in a wide range of nonalcoholic beverages, breakfast cereal coatings, candy, ice cream, and a variety of other desserts.
Butterfly pea flower extract, another blue color produced through the water extraction of the dried flower petals of the butterfly pea plant. While already approved for use in beverages, candy, ice cream, and yogurt, the FDA expanded its approval to use in cereals, crackers, and other snack products.
Calcium phosphate, a white color approved for use in ready-to-eat chicken products, white candy melts, doughnut sugar, and sugar for coated candies.
All of these actions underscore the current administration’s intent to transition the food supply away from synthetic petroleum-based dyes to more naturally sourced color ingredients.
PFAS Prohibition Law Updates
Chemical regulation in the consumer products space continues to increase, with significant developments focused on regulating per- and polyfluoroalkyl substances (PFAS) in various categories of consumer products. There are many dozens of laws across various states that already regulate or prohibit PFAS in various product categories, with Maine implementing a ban on intentionally added PFAS in all products in 2032 subject to a feasibility analysis.
Minnesota’s PFAS law came into effect this year, starting with a ban on the sale or distribution of various groups of consumer products with intentionally added PFAS and working up to a ban on intentionally added PFAS in all products beginning in 2032. Almost immediately, an industry group challenged the law, alleging that the ban on cookware violates the constitution. That case remains pending.
California and Colorado also have passed new laws banning the sale or distribution of certain consumer products with intentionally added PFAS start in January 2025. New Mexico became the newest state to ban intentionally added PFAS in consumer products (but exempting fluoropolymers). Following in the footsteps of Maine and Minnesota, New Mexico’s ban is a phased approach with its first prohibitions taking effect in 2027 and a blanket prohibition on the sale of all products with intentionally added PFAS commencing in 2032. Finally, Vermont passed a consumer products PFAS ban that expands a previously enacted prohibition.
Prop 65 and Other State-Level Chemical Regulation
The proliferation of Prop 65 chemical listings and notices of violation continue. Bisphenol S (BPS) became penalty-eligible at the end of 2024 and has resulted in dozens of retailers and restaurants receiving notices of violation concerning BPS in thermal receipt paper. BPS enforcement could also become prevalent in other areas including textiles and food packaging.
In foods, there continues to be significant enforcement around lead and cadmium. However, food companies may no longer need to worry about acrylamide under Prop 65, as a court in the Eastern District of California recently permanently enjoined Prop 65 acrylamide cancer warnings on a First Amendment basis.
In cosmetics, titanium dioxide litigation may be approaching its end, with the Eastern District of California issuing a preliminary injunction preventing new titanium dioxide Prop 65 lawsuits on the basis of the compelled warning violating First Amendment speech rights. In its place, plaintiffs are now focusing on the chemical diethanolamine (DEA), with dozens of lawsuits being filed against much of the cosmetic industry this year.
In terms of new chemical listings, vinal acetate was listed in January of this year, with potential enforcement commencing in early 2026. Additionally, the International Agency on Cancer Research (IARC) has designated isoeugenol and talc as 2B carcinogens, which may trigger future Prop 65 listings.
Outside of Prop 65, states continue to regulate other chemicals in consumer products such as cosmetics. Washington’s HB 1047, the Toxic-Free Cosmetics Act (TFCA), took effect in 2025, prohibiting the sale of cosmetics containing certain chemicals, including a one part per million lead restriction. The Washington Department of Ecology is also currently engaged in a rulemaking under the TFCA to restrict formaldehyde in cosmetics. Additionally, Minnesota continues to enforce its restrictions on lead and cadmium in consumer products, including cosmetics, apparel, and jewelry, which prohibit the sale of subject consumer products containing more than 90 parts per million of lead or 75 parts per million of cadmium..
EPR Packaging Update
Extended Producer Responsibility (EPR) laws continue to expand across the United States, posing operational challenges for consumer-packaged goods companies by shifting the cost of waste management from municipalities to producers of single-use packaging. Maryland and Washington passed their own EPR packaging laws, joining California, Colorado, Maine, Minnesota, and Oregon to total seven states that have full EPR packaging programs in place.
The first reporting deadline was in Oregon on March 31, 2025, with producers reporting their packaging data to Circular Action Alliance (CAA), which administers EPR programs in several states. Recognizing the significant requirements that producers face, CAA announced a grace period through April 30, 2025, for producers to submit their Oregon reports. CAA finalized the Oregon base fees for this initial reporting cycle and have started issuing invoices to producers for their respective fees based on the 2024 reporting data. The next reporting deadline is July 31, 2025, in Colorado.
California’s EPR program faced a major setback in March when Gov. Gavin Newsom ordered CalRecycle to restart its rulemaking process for its regulations implementing California’s program. These regulations not only define producer activities when it comes to reporting, but also compliance measures related to California’s additional source reduction and recycling requirements under its EPR law. CalRecycle is now in the process of restarting its rulemaking, despite receiving continued pushback from both lawmakers and industry about concerns over the agency’s implementation of the law. In light of this regulatory uncertainty, CAA recently announced that California’s initial reporting deadline will be pushed back from Aug. 31, 2025, to Nov. 15, 2025.
EPR and Textiles
In addition to its packaging EPR law, in 2024 California passed a textile EPR law, SB 707, which created the first EPR program for apparel and textiles in the United States. Similar to the packaging EPR laws, SB 707 places the cost and burden of recycling covered textile materials on the producers of the textile items, requiring them to join a stewardship organization to manage the collection and recycling of apparel and textile products. CalRecycle is tasked with overseeing this program and is holding a workshop July 17, 2025, to discuss its next steps regarding rulemaking and program oversight. Read more about this development in our June 2025 GT Alert.
SB 343 – California’s Truth in Recycling Law
Companies must begin considering compliance with California’s SB 343, the Truth in Recycling law, which concerns recycling advertising on products and packaging sold in California. SB 343 creates new standards for determining when products and packaging can be labeled as recyclable and use the familiar “chasing arrows” symbol. The law prohibits the use of any recyclability indicators unless the product or packaging meets the law’s criteria, and violations can plausibly result in class action lawsuits or state enforcement actions.
Pursuant to SB 343, CalRecycle was tasked with studying how materials are collected, sorted, sold, or transferred for recycling in California and publishing a report that compiles these findings. Under the statute, publishing this report triggers an 18-month compliance deadline for parties to start meeting the new criteria. CalRecycle published this report, the “Material Characterization Study,” April 4, 2025, which means that businesses have until Oct. 4, 2026, to bring their products and packaging into compliance with SB 343.
It is unclear whether CalRecycle’s Material Characterization Study is merely the agency’s interpretation of its data on California’s recycling practices, or whether the study provides legally binding categorizations of materials as recyclable. This leaves uncertainty around whether and how companies can comply with SB 343.
Compostable Claims in California
California’s AB 1201, which already established the nation’s most stringent requirements for compostable labeling, provides that starting Jan. 1, 2026, any product or packaging labeled as “compostable” or “home compostable” in California must qualify as an allowable agricultural organic input under the U.S. Department of Agriculture’s National Organic Program (NOP). Currently, this requirement essentially creates a de facto ban on labeling plastic and polymer-based synthetic packaging and products as compostable because most do not meet the NOP requirements. However, under the statute, CalRecycle can delay this restriction for products and substances that will soon become allowable agricultural organic inputs under the NOP. The agency announced June 11 that it is extending the compliance date until June 30, 2027, for synthetic substances that otherwise satisfy the requirements for lawfully being labeled as “compostable.”
Post-Consumer Recycled Statutes
Along with other recycling and chemical restrictions, multiple states have passed legislation requiring plastic products to use certain amounts of post-consumer recycled (PCR) content in an effort to reduce virgin plastic use. Most of the PCR laws apply just to plastic beverage containers, but states like New Jersey and Washington have expanded the PCR required content minimums to apply to a broader range of rigid plastic containers.
Washington’s law specifically also applies to personal care products and household cleaning products, which as of Jan. 1, 2025, are now subject to a 15% PCR minimum, which increases to 25% in 2028 and 50% in 2031. The Washington Department of Ecology has begun actively enforcing the first round of its PCR minimum threshold requirements (which included required PCR minimums for plastic beverage containers and trash bags) as subject entities who did not meet the initial thresholds faced significant penalties. The Department of Ecology recently fined 23 plastic producers a combined $277,000, calculated based on each company’s 2024 sales in the state and how far off the businesses were from required thresholds. This comes after the Department of Ecology issued an initial round of fines to 35 companies last October, which totaled $416,554.
Footnotes
1 See Ottesen v. Hi-Tech Pharms., Inc., No. 19-CV-07271-JST, 2024 WL 5205539, at *7 (N.D. Cal. Dec. 23, 2024); Swartz v. Dave’s Killer Bread, Inc., No. 4:21-CV-10053-YGR, 2024 WL 4614551, at *8 (N.D. Cal. Sept. 20, 2024); Miller v. Nature’s Path Foods, Inc., No. 23-CV-05711-JST, 2024 WL 4177940, at *6 (N.D. Cal. Sept. 11, 2024); Forrett v. W. Thomas Partners LLC, 746 F. Supp. 3d 780, 788 (N.D. Cal. 2024); Shin v. Sanyo Foods Corp. of Am., No. 2:23-CV-10485-SVW-MRW, 2024 WL 4467603, at *9 (C.D. Cal. Aug. 13, 2024); Grimes v. Ralphs Grocery Co., No. CV 23-9086 TJH (PDX), 2024 WL 5470432, at *2 (C.D. Cal. Aug. 9, 2024).
The First National Health Care Fraud Takedown of the Second Trump Administration: What Stayed the Same and What Is New?
On June 30, 2025, the U.S. Department of Justice (“DOJ”), together with the U.S. Department of Health and Human Services Office of Inspector General (“HHS OIG”) and other law enforcement partners, announced the results of the 2025 National Health Care Fraud Takedown—hailed as the largest in history.
This year, DOJ’s Health Care Fraud Unit reported that 324 defendants were charged for their alleged involvement in various health care fraud schemes that involved over $14.6 billion in intended loss—more than doubling the prior record of $6 billion set in 2020 during the first Trump administration. By way of comparison, last year, the 2024 Takedown charged 193 defendants with allegedly committing more than $2.5 billion in fraud. And two years ago, the 2023 Takedown charged 78 defendants with more than $2.5 billion. To say there was a significant increase between the Biden administration and the second Trump administration would be an understatement.
That this administration would “follow the money” should not come as a surprise. As noted, the prior record was set during President Trump’s first term in 2020. In that Takedown, DOJ and HHS OIG reported 345 defendants allegedly submitted more than $6 billion in false and fraudulent claims to federal health care programs and private payers. The bulk of that 2020 Takedown, $4.5 billion, was related to telehealth.
A repeated message of DOJ in the second Trump administration has been targeting fraud, waste, and abuse in health care. As Matthew Galiotti, head of the DOJ’s criminal division said, “Today’s enforcement action represents the largest healthcare fraud takedown in American history but it’s not the end…It’s the beginning of a new era of aggressive prosecution and data-driven prevention.”
In connection with the Takedown, Galiotti also announced a new collaboration between the Federal Bureau of Investigation (“FBI”), HHS OIG, and other federal agencies to create a Health Care Data Fusion Center (“Fusion Center”) aimed at revolutionizing the detection, investigation, and prosecution of health care fraud. Led by the DOJ’s Health Care Fraud Unit and comprised of data specialists from the unit’s data analytics team, the Fusion Center “will break down information silos using coordinated data analysis, to enable our investigative teams to quickly identify and dismantle emerging fraud schemes.”
Health care companies have effectively been put on notice that the industry will continue to be a top enforcement priority for federal law enforcement efforts, so we expect to see similar figures over the course of the coming years. Furthermore, as DOJ increasingly relies on data analytics, we expect to see many investigations predicated upon health care providers who are billing outliers.
What Has Stayed the Same and What Has Changed?
In the second Trump administration, the 2025 DOJ is back to calling this a “takedown”—as opposed to an “enforcement action,” a Biden-era term. Whether this terminology change is due to its aggressive connotations or not, the scope of the takedown cannot be denied.
The 2025 Takedown operated on a global scale, with 29 defendants in transnational criminal organizations alleged to have submitted more than $12 billion in fraudulent claims to U.S. health insurance programs. Charges against 19 defendants stemmed from an investigation called Operation Gold Rush—a network of foreign straw owners who allegedly bought U.S. medical supply companies; submitted $10.6 billion in fraudulent claims to Medicare (using the stolen identities of U.S. citizens); and laundered the proceeds. Another foreign scheme involved five defendants who allegedly used artificial intelligence (“AI”) to create fake recordings of Medicare beneficiaries consenting to products and services.
As has been the case in the past, the health care fraud enforcement efforts in 2025 led to the seizure of many assets, including more than $245 million in cash, luxury vehicles and cryptocurrency. Interestingly, despite the massive increase in intended loss, this seizure is on a par with 2024, where the government reportedly seized $231 million worth of cash, cars, and gold.
One of the more interesting aspects to this year’s takedown is the inclusion of civil enforcement actions. The 2025 Takedown includes civil charges against 20 defendants for $14.2 million in alleged fraud and civil settlements with 106 defendants totaling $34.3 million. While the approximately $50 million in civil recoveries pales in comparison to the intended loss figure from the criminal enforcement, these are monies that the government either has or will likely recoup. As we have previously noted, civil cases typically involve larger corporations and more substantial financial recoveries than criminal enforcement. It is possible that emphasis on civil recoveries will become standard in future takedowns.
As for the Fusion Center, while it may be new, the Health Care Fraud Unit has been using data analytics for more than 15 years. Crunching data allows it to try to keep pace with constantly evolving fraud schemes: “Although health care fraud enforcement is necessarily reactive (and not proactive), DOJ hopes that its increasing use of data analytics will help it break the cycle of ‘pay and chase.’”
Types of Cases in this Year’s “Takedown”
This year’s Takedown is grouped into four categories of cases, down from six in 2024, although the topics remain largely the same. The 2025 cases involved:
Fraudulent wound care. The DOJ announced eight different cases involving various wound care schemes, including one case that involved seven defendants, five of whom are medical professionals, that were charged in connection with approximately $1.1 billion in allegedly fraudulent claims to Medicare and other health care benefit programs.
Prescription opioid trafficking. Seventy-four defendants, including 44 medical professionals, were charged in 58 cases for the alleged diversion of more than 15 million pills of prescription opioids and other controlled substances. Within the past six months, the Drug Enforcement Administration (“DEA”) has charged 93 administrative cases relating to the revocation of the authority to handle and/or prescribe controlled substances.
Telemedicine and genetic testing fraud. Forty-nine defendants were charged with allegedly submitting $1.17 billion in fraudulent claims to Medicare resulting from telemedicine and genetic testing. Importantly, DOJ noted that it will continue to focus on fraudulent claims related to genetic testing, durable medical equipment and COVID-19 tests, all of which have been of interest to the DOJ for at least the past five years—see, e.g., Operation Brace Yourself and Operation Double Helix.
Other health fraud schemes. One hundred seventy defendants were charged with more than $1.84 billion in allegedly false and fraudulent claims to Medicare, Medicaid, and private insurance companies regarding treatments and services that were medically unnecessary, not provided at all, or provided in connection with kickbacks and bribes.
‘Largest Target of All’
In addition to HHS OIG and the FBI, the DOJ partnered with CMS, DEA, and other enforcement agencies, including Medicaid Fraud Control Units (“MFCUs”) (see EBG’s recent blog post) for the 2025 Takedown.
As CMS Administrator Dr. Mehmet Oz noted, CMS is “probably the largest target of all, responsible for about $ 1.7 trillion dollars of disbursements.” CMS further announced on June 30 that it has successfully prevented more than $4 billion from being paid—and had suspended or revoked the billing privileges of 205 providers in the months leading up to the 2025 Takedown.
“They can pierce the veil of protection by just getting identifier numbers from our seniors or Medicaid recipients or others and thus use those tools…to hurt us,” Oz said. “What we’re doing today is changing the paradigm—not just going after bad guys and putting them behind bars but actually getting ahead of these schemes so the money never leaves our bank account.”
Takeaways
As always, these kinds of enforcement actions remind those who are involved in health care— whether as a practitioner, in the C-Suite, or elsewhere in the field—that appropriate compliance programs and general oversight remain critical. The 2025 Takedown confirms, however, that now more than ever, DOJ under Attorney General Pam Bondi will be aggressively focused on investigating, prosecuting, and preventing health care fraud, whether to address patient harm, stem the opioid epidemic and/or return money to government coffers—as President Trump and the agency have consistently said that they would.
We will continue to monitor these annual enforcement actions and other developments in this space.
Chart of Cases Filed in Federal and State Court
(Alphabetical by State)
Federal Court
# of Cases
Examples of Allegations
District of Arizona
5
Health care fraud, wire fraud, and money laundering; kickbacks
Central District of California
5
Hospice fraud; Medicaid fraud; kickbacks
Northern District of California
5
Controlled substances; claims to Medicare Advantage (MA) for unnecessary durable medical equipment (DME); money laundering from federal COVID-19 relief program; telemedicine fraud; false claims to federal programs for office visits that never occurred
Southern District of California
1
Unlawful payments to induce referrals
District of Connecticut
1
Unlawful distribution of controlled substances
District of Columbia
6
Overlapping billing scheme; health care fraud, wire fraud, mail fraud, identity theft, kickbacks; fraudulent medical paperwork
District of Delaware
2
Civil False Claims Act (FCA) telemedicine fraud scheme involving genetic testing and DME; FCA medically unnecessary genetic lab tests
Middle District of Florida
7
Kickback scheme to provide doctors’ orders to pharmacies, DME companies, and laboratories; kickbacks to companies connected to telemedicine doctors; medically unnecessary prescription medication, DME, and lab tests
Northern District of Florida
1
Conspiracy to distribute and dispense controlled substances; distribution; identity theft in connection with unlawfully diverting controlled substances
Southern District of Florida
27
Exploiting 340B Program with prescription mills; kickbacks; falsifying dispensing records; medically unnecessary or not provided DME, genetic testing, prescription drugs, telemedicine, wound products, OTC COVID-19 tests; conspiracy to sell fake nursing diplomas and transcripts, Medicare beneficiary identifier numbers; distributing controlled substances; defrauding financial institutions through cosmetic surgery/devices not provided;
Middle District of Georgia
1
DME never ordered/supplied; illegally obtained identification numbers
Northern District of Illinois
5
Schemes to defraud HRSA COVID-19 Uninsured Program; COVID-19, DME, genetic tests never requested/received; kickbacks, HIPAA violations, money laundering; misbranding of foreign-sourced drugs
District of Idaho
1
Medically unnecessary streptococcus and influenza tests; exaggerated billing protocols during COVID-19 pandemic
Eastern District of Kentucky
1
Drugs not purchased or dispensed; billing for brand name drugs when generics dispensed; billing for more expensive generics when cheaper ones dispensed
Western District of Kentucky
3
Veterinarian conspiracy to use illegal DEA number and to obtain controlled substances through false names of deceased or fictitious canines; theft of medical products and controlled substances
Eastern District of Louisiana
4
Embezzling funds from a nonprofit receiving grants from HHS; medically unnecessary genetic testing; kickbacks; COVID-19 tests not requested; medically unnecessary genetic testing; kickbacks
Middle District of Louisiana
2
Paycheck Protection Program (PPP) schemes
District of Maine
1
ID theft, false statements relating to health care, unlawful use of SNAP benefits
District of Massachusetts
1
Medically unnecessary DME; kickbacks
Eastern District of Michigan
6
Conspiracy to distribute/distribution of controlled substances; civil FCA for prescription drugs billed, never dispensed, and nonexistent/substandard services to nursing home residents; medically unnecessary home health services; pharmacy owner’s fraudulent billing for medications that were medically unnecessary, never dispensed, and/or never prescribed
Western District of Michigan
1
Dental services not rendered
Northern District of Mississippi
1
Pharmacists billing for same prescription drugs multiple times with return scheme
Southern District of Mississippi
2
Unnecessary DME, diagnostic testing, and PPP schemes; kickbacks
District of Montana
2
Fraud involving federal benefits including Social Security disability and Medicaid
District of Nevada
2
Kickbacks for amniotic wound allografts
District of New Hampshire
2
Fraud involving psychotherapy treatment and telehealth; medically unnecessary DME
District of New Jersey
11
Conspiracy to distribute controlled substances in connection with opioids; drugs never dispensed to beneficiaries; kickbacks for lab tests and DME; high-reimbursement drugs never dispensed by pharmacy; medically unnecessary services/treatment; fraudulent dental services
Eastern District of New York
5
Operation Gold Rush (purchase of DME companies to submit billions in false claims and money laundering); conspiracy to distribute/distribution of narcotics; pharmacy fraud with drugs not dispensed; kickbacks; medically unnecessary DME
Northern District of New York
3
Psychotherapy services never provided; distributing/dispensing controlled substances; impermissible use of provider relief funds; false/inaccurate Medicare cost reports by skilled nursing facilities; false claims to TRICARE and Medicaid by altering compounded medications
Southern District of New York
2
COVID-19 testing and other services never provided; fraudulent prescriptions using stolen identities of practitioners and patients
Western District of New York
3
Fraudulent telehealth; criminal, civil FCA for medically unnecessary DME; distributing/dispensing controlled substances
Eastern District of North Carolina
2
Kickbacks; medically unnecessary DME
Western District of North Carolina
2
Medically unnecessary/not performed drug tests; purchasing/selling Medicaid numbers; money laundering; behavioral services not provided
District of North Dakota
1
Nonmedical emergency transport services, PPP loan
Northern District of Ohio
1
DME telemedicine scheme
Southern District of Ohio
1
Continued operation of substance abuse treatment facility after exclusion; counseling services improper or not provided
Northern District of Oklahoma
1
Conspiracy to distribute/prescribe controlled substance
Western District of Oklahoma
1
Nonexistent/partial visits in skilled nursing facilities
District of Oregon
1
Kickbacks/bribes for medically unnecessary braces
Eastern District of Pennsylvania
1
Kickbacks to refer home care patients to home care agencies; home care services never provided
District of South Carolina
2
Unauthorized/never delivered DME; therapy services to veterans never/improperly rendered
Middle District of Tennessee
1
Inpatient hospital/physician services never provided
Western District of Tennessee
1
Prescription medications never dispensed
Northern District of Texas
4
Physical therapy and devices not medically necessary/not provided/improper; kickbacks for OTC COVID-19 and EEG tests not requested or necessary; genetic testing never requested, ordered, and/or performed
Southern District of Texas
21
Kickbacks for medically unnecessary genetic and diagnostic tests; fraudulent hospice services; conspiracy to distribute/dispense controlled substances; skin substitutes; mental health therapy; DME and COVID-19 tests; COVID-19 diagnosis and treatment consultations; medically unnecessary footbath drugs
Western District of Texas
1
Kickbacks for medically unnecessary/ineligible hospice services
District of Vermont
3
Medically unnecessary/never provided DME; pharmaceutical company shipping controlled substances and misbranded pharmaceutical drugs
Eastern District of Virginia
6
Overbilling for environmental modifications; advertising and false billing for unapproved devices; medically unnecessary/not provided products and services; criminal tampering with drugs; fraudulent billing for residential group home services
Western District of Washington
2
Billing for unapproved product; obtaining controlled substances
Northern District of West Virginia
1
Kickbacks; false claims to Medicare for DME, devices, cancer testing, foot bath medications
State Court
# of Cases
Examples of Allegations
California
8
Patients not qualifying for hospice services; theft in connection with in-home services; prescribing/furnishing controlled substances; dependent adult abuse/assault with a deadly weapon
Illinois
4
Unlawful acquisition/possession of controlled substance; forgery/practicing nursing without license; fraudulent home services
Indiana
12
Obtaining controlled substances and possessing narcotics; fraud by home health aides
Louisiana
6
Intentionally/criminally negligent mistreatment/neglect at residential facilities; false claims for behavioral health, home care and personal care services
Massachusetts
1
Scheme to steal funds from personal care assistants
Michigan
2
Telephone/management/medical services not provided
Missouri
9
Personal care services never provided; misrepresentation of qualifications for mental health services; assault
New York
20
Civil settlement by Medicaid transportation companies for services never provided/inflated tolls; kickbacks; falsifying business records for home health hours; nurse’s aide stealing from patient
Ohio
12
Services not provided
Pennsylvania
2
Services not provided; inappropriate sexual contact with patient
South Carolina
1
Money laundering; exploitation of vulnerable adult/resident of health care facility
Wisconsin
1
Psychotherapy sessions that never took place
Ann W. Parks contributed to this article
No One Wants to Dispute with Consumers – End of the European Online Dispute Resolution Platform (ODR Platform)
Under the Regulation (EU) No 524/2013 on online dispute resolution for consumer disputes (ODR Regulation) traders established in the European Union (EU) who sell or offer products or services online to consumers residing in the EU are required to provide an easily accessible and clickable link to the EU’s ODR Platform on their websites to enable consumer to resolve disputes regarding the obligations stemming from the online sales or service contracts out of court. Until now…
This ODR Regulation is now repealed with effect from 20 July 2025, pursuant to Regulation (EU) 2024/3228. Despite the large number of visitors to the ODR Platform, only a minority of consumers submitted a complaint, and only 2%, i.e. 200 cases per year, were even responded to by traders which is the prerequisite for further alternative dispute resolution proceedings. Due to the apparent lack of significance of the ODR platform, the EU has decided to discontinue its operation. The ODR platform will therefore be discontinued from 20 July 2025.
Traders who have provided a link to the ODR platform on their website (e.g. in the terms and conditions or otherwise) in accordance with their legal obligation must now remove this link from their website by the cut-off date of 20 July 2025 to avoid enforcement exposure due to misleading consumers.
It may be a good idea to review in this context the entire website (including terms and conditions) to ensure compliance with European and national e-commerce laws.
MDEP Receives 11 CUU Proposals for Products Containing Intentionally Added PFAS Scheduled for Prohibition in 2026, Recommends Two for CUU Determinations
As reported in our April 11, 2025, blog item, applications for currently unavoidable use determinations for products containing intentionally added perfluoroalkyl and polyfluoroalkyl substances (PFAS) and scheduled to be prohibited in Maine on January 1, 2026, were due June 1, 2025. The agenda for the July 17, 2025, meeting of the Maine Board of Environmental Protection (MBEP) includes a proposed amendment to Chapter 90: Products Containing PFAS. According to the Maine Department of Environmental Protection (MDEP) Staff Memo hyperlinked in the agenda, MDEP received 11 proposals for CUU determinations in the following product categories: cookware (five proposals); cleaning products (four proposals); cosmetic product container (one proposal); and upholstered furniture (one proposal). MDEP has recommended that two of the proposals for CUU determinations, both for cleaning products, be granted.
Maine’s PFAS regulations require that CUU proposals include an explanation of why the availability of PFAS in the specific product is essential for health, safety, or the functioning of society and whether alternatives are available. Maine’s PFAS statute defines “essential for health, safety or the functioning of society” as:
[A] use of a PFAS in a product when the function provided by the PFAS is necessary for the product to perform as intended, such that the unavailability of the PFAS for use in the product would cause the product to be unavailable, which would result in:
(1) A significant increase in negative health outcomes;
(2) An inability to mitigate significant risks to human health or the environment; or
(3) A significant disruption of the daily functions on which society relies.
Under the PFAS statute, intentionally added PFAS will be banned in the following products on January 1, 2026, unless the product has a CUU determination:
Cleaning products;
Cookware;
Cosmetics;
Dental floss;
Juvenile products;
Menstruation products;
Textile articles (the prohibition does not include outdoor apparel for severe wet conditions or textile articles that are included in or a component part of a watercraft, aircraft, or motor vehicle, including an off-highway vehicle);
Ski wax; and
Upholstered furniture.
The prohibition applies to any of these products that do not contain intentionally added PFAS but that are sold, offered for sale, or distributed for sale in a fluorinated container or in a container that otherwise contains intentionally added PFAS.
The Staff Memo summarizes the CUU proposals received, grouping them by category:
Cookware Category
Product Description: Cookware and Bakeware
Three proposals request a CUU determination for polytetrafluoroethylene (PTFE) as a coating that comes in contact with food on cookware surfaces for its non-stick behavior, chemical and abrasion resistance, resistance to heat and corrosion, and long-lasting product performance. Each proposal states that these properties are essential for consumers’ health and safety when cooking due to the resulting low or no fat use during cooking, predictable results by preserving food texture, prevention of burning, and easy clean-up which reduces detergent and water use. The Staff Memo states that the alternatives identified are commonly known and readily available. Based on the lack of evidence that the products meet the statutory definition of essential for health, safety, and the functioning of society, and that reasonably available alternatives that function similarly are readily obtainable, MDEP “does not recommend approving the CUU proposals for the use of PFAS in cookware.”
Product Description: Cookware, Small Kitchen Appliances
This proposal requests a CUU determination for fluoropolymer-coated small kitchen appliances. The submitter states that fluoropolymers, particularly PTFE, are essential components for this product category, ensuring the long-term effectiveness of small kitchen appliances and supporting healthier cooking practices by reducing the need for added fats and enabling easier cleaning. According to the proposal, alternatives such as cast iron, stainless steel, and raw aluminum do not possess natural non-stick capabilities, and ceramic coatings lack non-stick durability and overall performance over time. Based on the lack of evidence that the product meets the statutory definition of essential for health, safety, and the functioning of society, and that reasonably available alternatives that function similarly are readily obtainable, MDEP “does not recommend approving the CUU proposals for the use of PFAS in this type of cookware.”
Product Description: Coffee Maker
The proposal requests a CUU determination for PFAS compounds intentionally added to component parts of coffee makers such as tubing, gaskets, solenoid valves, and vibrating pumps. The submitter describes the PFAS use as essential for chemical stability, resistance to high pressure, durability, maintenance through high temperatures, and long-lasting non-stick and self-lubricating properties. The proposal states that the properties provided by intentionally added PFAS are essential for consumers’ health and safety when using the product because it can be “…more cost-effective than purchasing coffee from outside sources as consumers can choose the type of coffee, quantity, and minimize waste.” Alternatives include silicone, non-PFAS polymers, and ceramics, which are commonly known and readily available. According to the submitter, these alternatives “do not offer the same combination of properties such as resistance to high pressure and temperature, as well as resistance to friction.” Based on the lack of evidence provided that the unavailability of PFAS for use in this product category would result in any of the negative outcomes set forth in the criteria of essential for health, safety, or the functioning of society and that reasonably available alternatives that function similarly are obtainable, MDEP “does not recommend approving the CUU proposal for the use of PFAS in this type of cookware.”
Cleaning Product
Product Description: Liquid Cleaner Container — Internal Cartridge Valve
The proposal requests a CUU determination for PFAS compounds in component parts of a container valve located at the top of the internal cartridge. According to the Staff Memo, the vent described is designed to withstand chemical compatibility challenges posed by highly corrosive formulations and associated off gassing of the liquid cleaning product within the container. The PFAS used in the component “allow[] for delicate and finely tuned mechanical interaction that helps repel aggressive substances and maintain performance integrity. The vent controls the dilution ratio of concentrated cleaners held within the container, ensuring control of the dilution ratio of concentrated cleaners.” The properties provided by the intentionally added PFAS are essential for consumers’ health and safety when using the product “because controlled dilution is critical to efficacy and limited exposure to concentrated cleaners held within the container.” The Staff Memo notes that the submitter states there are no alternatives currently available that are adequate to meet the performance criteria for the product. Because this component of the container performs a vital role for the product within it to function properly and there is concern for consumer safety should this container valve fail, MDEP “recommends approval of this CUU proposal.”
Product Description: Electric Air Care Product Components
The proposal requests a CUU determination for PFAS compounds in internal component parts of an electric fragrance warmer. According to the Staff Memo, within tubes located in the resistor assembly, “PFAS are used to provide a flame-retardant barrier around conductive elements, protect against high temperatures, humidity, and mechanical stress.” The submitter claims the PFAS is “critical as a protective barrier to prevent human contact with live electrical parts, resist fatigued wiring wear over time, as well as reduce risk of short circuits” and the properties provided are essential for consumers’ health and safety “to prevent insulation failure, reduce risk of short circuits, prevent human contact, and overheating or fire.” Although silicone is an alternative that offers flexibility and heat resistance, the Staff Memo notes that according to the proposal, “it typically does not meet the full performance profile criteria for this product; particularly, chemical resistance and long-term endurance.” Based on the lack of evidence provided that the unavailability of PFAS for use in this product category would result in any of the negative outcomes set forth in the criteria of essential for health, safety, or the functioning of society and that reasonably available alternatives that function similarly are obtainable by consumers, MDEP “does not recommend approving this CUU proposal.”
Product Description: Electric Air Care Product Plug-In
The proposal requests a CUU determination for PFAS compounds in internal component parts of an electric air freshener. Within the plug deck of the device, PFAS is used to coat the wiring jackets. The Staff Memo states that the submitter describes the PFAS in the component as providing a flame-retardant barrier around stranded copper conductors, providing resistance to heat, cold, humidity, and mechanical stress, as well as preventing insulation failure that could lead to short circuits or fires. Use of PFAS is essential for electrical safety and prevention of human contact with live electrical parts, reducing the risk of electric shock. The proposal notes that silicone is an alternative that offers flexibility and heat resistance, although it typically does not meet the full performance profile criteria for this product; particularly, chemical resistance and long-term endurance. Based on the lack of evidence provided that the unavailability of PFAS for use in this product category would result in any of the negative outcomes set forth in the criteria of essential for health, safety, or the functioning of society and that reasonably available alternatives that function similarly are obtainable by consumers, MDEP “does not recommend approving this CUU proposal.”
Product Description: Container Vented Cap Liners
This proposal requests a CUU determination for PFAS in components of a container. According to the Staff Memo, specific to vented cap liners of foam and induction foils, the submitter states that intentionally added PFAS allows lighter weight packaging, higher concentration of active ingredients, and more effective products. The submitter describes the PFAS applied to finished cap liner vents specific to the proposal as components of containers for several product categories, such as cleaning products, haircare products, and liquid chemicals. The vents provide the necessary function of safely allowing off gassing from the containers across all three product categories, avoiding containment failure. The proposal notes that alternatives such as polypropylene membranes, cellulose acetate membranes, polyester polyethersulfone membranes, polyethylene, and polyolefin membranes have been assessed, but none are suitable for this application and performance standard. Because this internal component of a container performs vital roles for the product to function in a safe manner across multiple product categories (cleaning products and cosmetic products) subject to the 2026 sales prohibition, MDEP “recommends approval of this CUU proposal.”
Cosmetics
Product Description: Container O-Ring, Used For Hand Lotion
The proposal requests continued use of PFAS compounds in internal component parts of a container cartridge; specifically, the O-ring made with vinylidene fluoride-hexafluoropropene polymer. According to the Staff Memo, the submitter states that the PFAS used is inert and has superior properties to provide the seal functionality necessary to ensure chemical compatibility with these complex product formulations. The product is marketed to provide accessible skin protection and hydration in high-risk environments like industrial, healthcare, and food service settings. Alternatives such as silicones, ethylene propylene diene monomer (EPDM), and other elastomers have been identified, but the submitter states that none match the compatibility necessary for this specific product formulation. Identified alternatives show unacceptable levels of degradation, cracking, brittleness, hardness, or swelling of the material due to chemical incompatibility, leading to seal failure. The submitter notes that an alternative material may be found if given additional time for development. The Staff Memo notes that the product is outside the statutory exemption for “any product that is a medical device, drug or biologic or that is otherwise used in a medical setting or in medical applications that are regulated by or under the jurisdiction of the United States Food and Drug Administration,” and lacks evidence that the unavailability of PFAS for use in this product category would result in any of the negative outcomes set forth in the criteria of essential for health, safety, or the functioning of society. MDEP “does not recommend approval of this CUU proposal for the continued use of PFAS in the O-ring of this product.”
Upholstered Furniture
Product Description: Massage Chair, Internal Mechanical Component
The proposal requests a CUU determination for PFAS in internal component parts of a massage chair, specifically in the ball bearings of internal mechanical components of the massage chair. The submitter states that PFAS help prevent mechanical noise, as well as providing longevity and safe performance for the product. The proposal describes the importance of PFAS use as including reduced friction and ensuring safe operability of internal mechanical components. The non-PFAS alternatives tested do not meet performance standards. Based on the lack of evidence provided that the unavailability of PFAS for use in this product category would result in any of the negative outcomes set forth in the criteria of essential for health, safety, or the functioning of society and that reasonably available alternatives that function similarly are obtainable, MDEP “does not recommend approving this CUU proposal.”
Next Steps
The Staff Memo recommends that the MBEP initiate rulemaking by posting for public comment and a public hearing the proposed amendments to rule Chapter 90 and to coordinate with the MBEP Executive Analyst regarding the date of the hearing and close of comment period. The amendments proposed by MDEP would amend the PFAS regulations to add the two CUU determinations recommended for approval. The MBEP meeting will be available via Zoom at https://mainestate.zoom.us/j/84609389474.
Commentary
These are the first CUU proposals to be submitted in Maine, and the Staff Memo offers important insight into how MDEP will evaluate CUU proposals. Given the similarity with other state CUU approaches, these first CUU decisions may be illustrative of how other states may deliberate. After the January 1, 2026, prohibition takes effect, the next prohibition date is January 1, 2032. That will apply to all products containing intentionally added PFAS that are not otherwise exempt, are cooling, heating, ventilation, air conditioning, or refrigeration equipment, or are refrigerants, foams, or aerosol propellants. Under the regulations, MDEP will not consider any proposals for an initial CUU determination prior to 60 months in advance of the applicable sales prohibition; any proposals received prior to this date will need to be updated and resubmitted between 60 and 18 months before the effective date of the applicable sales prohibition. For the January 1, 2032, prohibition, CUU proposals will be due between January 1, 2027, and July 1, 2030.
Stakeholders with products subject to the January 1, 2032, prohibition should carefully review the CUU proposals submitted to MDEP and determine whether the use of PFAS in their products is “essential for health, safety or the functioning of society” and what data are necessary to support that judgment.
DOJ’s 90-Day Data Security Compliance Grace Period is Over: Are You Compliant?
The U.S. Department of Justice (“DOJ”) Data Security Program (“DSP”) 90-day enforcement grace period ended as of July 8, 2025. While the program became effective April 8, 2025, DOJ implemented a 90-day enforcement grace period until July 8, 2025 for good-faith efforts towards compliance (see our previous blog here). With the expiration of the grace period, the majority of the DSP is now effective and will be enforced.
Background
As a reminder, the DOJ DSP aims to protect Americans’ sensitive personal data and certain U.S. Government-related data from foreign adversaries (see our blog here for more details on the rule). Specifically, the program prohibits or restricts “covered data transactions,” i.e., any transaction that involves any access by a country of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela) or covered person to any bulk U.S. sensitive personal data or government-related data (as defined in the regulations) and that involves data brokerage; a vendor agreement; an employment agreement; or an investment agreement. Common types of data that will be subject to this rule include health and biometric data; human genomic data; financial data; personal health data; government identification numbers (such as social security numbers); demographic and contact information; and network, device, and advertising identifiers.
Enforcement Timeline and Path to Compliance
While the majority of the DSP is now effective and will be enforced as of July 8, 2025, the DSP includes another deadline for companies to establish required internal policies and procedures. By October 6, 2025, companies must implement the final requirements of the DSP to create a data compliance program (if participating in restricted transactions) and comply with reporting and auditing requirements.
It is crucial that companies evaluate and strengthen their data practices in advance of the upcoming October 6, 2025 deadline. Specifically, U.S. entities subject to the DOJ DSP should evaluate the following when shoring up compliance efforts:
Risk-based procedures for data security
Vendor management and validation
Written data and security policies with annual certification
Employee training programs
Dedicated compliance personnel
Audit, record-keeping, and reporting procedures and procedures for data security compliance
Companies should not delay in implementation of compliance programs. This is especially pertinent when considering the potential enforcement penalties associated with the DSP. The DOJ may bring civil enforcement actions and criminal prosecutions for knowing or willful violations of DSP requirements.
Connecticut Attorney General Announces First Settlement under Connecticut Data Privacy Act
On July 8, 2025, Connecticut Attorney General William Tong announced a settlement with TicketNetwork for alleged violations of the Connecticut Data Privacy Act (“CTDPA”). According to the Attorney General’s press release, the Office of the Attorney General (“OAG”) first sent a “cure notice” to TicketNetwork on November 9, 2023. In that notice the OAG alleged that the company’s privacy notice was deficient under the CTDPA and provided the company with an opportunity to cure the alleged violation. In particular, the OAG alleged that the company’s privacy notice was largely unreadable, missing key data rights and contained rights mechanisms that were misconfigured or inoperable.
The CTDPA previously provided businesses with a cure period of 60 days, and, according to the OAG, TicketNetwork did not resolve the alleged violations until “well beyond the cure period.” The OAG also stated in its press release that the company “repeatedly represented that they had resolved deficiencies when they had not done so, and failed to timely respond to follow-up correspondence.” Under the settlement, TicketNetwork has agreed to comply with the requirements of the CTDPA, maintain metrics for consumer rights requests received under the CTDPA, provide a report of these metrics to the OAG and pay $85,000.
Importantly, the CTDPA’s cure period expired on January 1, 2025 and the OAG’s press release makes clear that the OAG is focused on enforcing the law’s transparency requirements.
TREND: American Express DESTROYED by Discovery Order in TCPA Class Action as ANOTHER #BIGLAW Firm Fails
Repeat after me:
Hire Big Law.
Expect a Big Loss.
At least in TCPAWorld.
Here is ANOTHER example.
In Duke v. American Express, 2025 WL 1918643 (D. Az. July 12, 2025) American Express was just needlessly required to produce a massive amount of data regarding wrong number calling pre-certification.
The case stems from a pre-recorded call to a wrong number– as anyone will tell you this is a dangerous fact pattern.
The discovery demands here are insanely vague and misshapen but it looks like AmEx did not properly support its burden objections or otherwise frame out its scope and ambiguity objections (reasonably particularized category of existing documents? Yeah right.) So court overruled objections and compelled production.
REALLY IMPORTANT NUANCE here.
AmEx had previously produced records of prerecorded calls made AFTER a wrong number notation but the Court found that was insufficient.
In a TCPA case calls to wrong numbers are actionable BEFORE the caller is informed.
SO SO SO IMPORTANT TO UNDERSTAND THAT– THERE IS NO NOTICE UNDER THE TCPA!!!!
As a result AmEx now has to produce records of calls that were made to a number even BEFORE the wrong number notation was placed. And that is going to be insanely painful and burdensome.
AmEx elected to hire a #biglaw firm to represent it and, well, they got a big loss.
Expect an eight figure settlement folks.