Immigration Enforcement and Healthcare Facilities: Key Considerations for Providers

Recent changes in federal immigration enforcement practices have prompted renewed attention to how healthcare providers manage requests from law enforcement agencies. While federal policy continues to recognize healthcare facilities as sensitive environments, there has been increased interest in enforcement activity in or around such locations. Healthcare organizations should consider taking this opportunity to review internal protocols and confirm they are prepared to respond in a manner that is consistent with applicable federal and state law.
This post outlines key considerations related to patient privacy, facility access, and provider obligations when immigration enforcement activity intersects with clinical operations.
Patient Privacy and Requests for Information
Healthcare providers remain subject to the requirements of the Health Insurance Portability and Accountability Act (HIPAA), which generally prohibits the disclosure of protected health information (PHI) without patient authorization, except in limited circumstances. One such exception is when disclosure is required by law—for example, pursuant to a valid court order or a judicial warrant.
Providers should be aware that administrative warrants issued by immigration authorities alone typically do not meet HIPAA’s “required by law” standard. In such instances, providers should consider verifying whether the request is supported by sufficient legal authority before disclosing patient information. Internal policies and staff training may help ensure that any disclosures are appropriately limited in scope and consistent with federal and state privacy laws.
Facility Access and On-Site Enforcement Activity
In some cases, immigration officials or other law enforcement personnel may seek to enter a healthcare facility to interview or take custody of an individual. Providers should consider preparing for such scenarios by identifying points of contact for handling law enforcement inquiries, establishing protocols for reviewing documentation, and confirming when legal counsel should be contacted.
Importantly, hospitals and other emergency care providers remain obligated to comply with the Emergency Medical Treatment and Labor Act, which requires the screening and stabilization of patients seeking emergency care, regardless of their background or circumstances.
Nondiscrimination and Access to Care
Providers that participate in Medicare or Medicaid are also subject to federal nondiscrimination requirements under the Civil Rights Act and Section 1557 of the Affordable Care Act, as well as state civil rights laws. These laws generally prohibit denying care on the basis of national origin or perceived immigration status. Healthcare organizations may wish to review their policies to ensure they reflect these ongoing obligations.
State and Local Considerations
In addition to federal law, healthcare providers should consider any applicable state or local requirements related to law enforcement interactions, patient rights, or data privacy. Several state attorneys general and regulatory agencies have issued advisories or guidance materials to assist providers in navigating these issues. For example, Maryland’s attorney general released guidance for Maryland providers in light of the recent policy changes on immigration enforcement. Reviewing such materials in consultation with counsel may help organizations develop compliant, well-informed operational protocols.
Conclusion
As enforcement practices evolve, healthcare providers would benefit from reviewing their procedures for responding to law enforcement activity—particularly in contexts involving patient privacy, facility access, and legal process. A proactive approach can help ensure compliance with relevant laws and support the delivery of uninterrupted, nondiscriminatory care.
Providers with questions about specific scenarios or legal requirements are encouraged to consult our team to assess how these considerations apply in their jurisdiction and operational context.
Listen to this post

FedRAMP 20x – Major Overhaul Announced to Streamline the Security Authorization Process for Government Cloud Offerings

On March 24, 2025, the Federal Risk and Authorization Management Program (“FedRAMP”) announced a major overhaul of the program, which is being called “FedRAMP 20x.” The FedRAMP 20x announcement stated there are no immediate changes to the existing authorization path based on agency sponsorship and assessment against the FedRAMP Rev 5 baseline.[1] However, once the initiative kicks off, we expect major changes to speed up and streamline that authorization path that likely will be welcomed by industry partners and cloud service providers participating in the program. Below are key points based on the recent FedRAMP 20x announcement.
The primary goals of the FedRAMP 20x initiative include:

Seeking to implement the use of automated validation for 80% of FedRAMP requirements, which would leave about 20% of narrative as opposed to the current 100% narrative explanations required in the document submission package.
Leaning on industry partners to provide continuous simple standardized machine-readable validation of continuous monitoring decisions.
Fostering trust between industry and federal agencies to promote direct relationships between cloud service providers and customers. Note, this appears to indicate that the FedRAMP Program Management Office (“PMO”) will have a much smaller role moving forward with respect to the authorization process and assessments.
Replacing annual assessments with simple automated checks.
Replacing the significant change process with an approved business process that will not require additional oversight to be developed in collaboration with industry.

FedRAMP 20x is an initiative that will be implemented in phases. The timeline for Phase 1 has not been announced but, once it is open, Phase 1 seeks to streamline the authorization process for eligible participants and authorized cloud service offerings in weeks rather than months. Phase 1 will focus on Software-as-a-Service offerings with the following characteristics: 

Deployed on an existing FedRAMP Authorized cloud service offering using entirely or primarily cloud-native services;
Minimal or no third party cloud interconnections with all services handling federal information FedRAMP Authorized;
Service is provided only via the web (browser and/or APIs);
Offering supports a few standard customer configured features needed by federal agencies (or the cloud provider willing to build that capability quickly); and
Existing adoption of commercial security frameworks are a plus (SOC 2, ISO 27000, CIS Controls, HITRUST, etc.).

The practical implications of Phase 1 appear to be positive. Cloud service providers will be able to submit fewer pages for authorization submissions (i.e., less narrative, and more standard configuration choices for documentation). The documentation required for Phase 1 includes (1) documentation of security controls implemented by the cloud service provider and (2) materials demonstrating the cloud service provider’s existing commercial security framework to the extent it overlaps with FedRAMP requirements (e.g., a Security & Privacy Policy). There will be an automated validation component for Phase 1 authorizations, which may involve making configuration changes as needed to meet certain security controls. Following the assessment process, the cloud service offering will receive a score related to Confidentiality, Integrity, and Availability of federal information, and federal agencies will review this information to make risk assessments prior to adoption. Lastly, there will be changes to continuous monitoring with the replacement of annual assessments with simple automated checks and a new significant change process that will not require additional oversight.
Overall, with less documentation and narrative explanation, a more automated process with quicker authorization timelines, and less burdensome continuous monitoring activities due to enhancements through automation, the goal of FedRAMP 20x changes is to establish more efficient authorization and continuous monitoring processes. This should make it easier for cloud providers to sell their offerings to the government. Industry participation is a major focus of the new initiative. There are community engagement groups planning to begin meeting immediately and there will be opportunities for public comment as new ideas and documentation are rolled out. The community group meetings are focused on four topics: (1) Rev 5 Continuous Monitoring, (2) Automating Assessments, (3) Applying Existing Frameworks, and (4) Continuous Reporting. For those in this space, it will be important to participate to ensure industry partners are involved in shaping the program. The schedule for the meetings can be found here.

FOOTNOTES
[1] The FedRAMP Rev. 5 baseline aligns with National Institutes of Standards and Technology (“NIST”) Special Publication (“SP”) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5.

When Is Conduct ‘Primarily and Substantially’ in Massachusetts Under Chapter 93A?

The District of Massachusetts continues to refine the contours of conduct occurring “primarily and substantially” within the Commonwealth that could give rise to a Chapter 93A Section 11 claim, as illustrated by Pro Sports Servs. FI OY v. Grossman. Courts continue to look at the “center of gravity” of the specific circumstances giving rise to the claim to determine if the conduct occurred “primarily and substantially” in the Commonwealth. In this case, the conduct giving rise to the claim did not occur in Massachusetts, and the claim was dismissed. 
Plaintiff brought an action alleging, among other things, a violation of Chapter 93A arising from defendant’s refusal to satisfy an arbitration award. Plaintiff originally contracted with an agency in New York owned by defendant to represent Finnish ice hockey players. After two arbitrations related to the agency’s failure to make certain payments under the contract, plaintiff learned defendant incorporated a new entity in Massachusetts and transferred funds to that entity allegedly to obfuscate and avoid the judgment against it.
Defendant moved to dismiss on the basis that the facts giving rise to the claim occurred outside the Commonwealth. The allegations in the amended complaint connecting the claim to the Commonwealth included (1) a business entity incorporated under the laws of the Commonwealth; (2) the defendant residing in the Commonwealth; (3) the New York entity having the same address as the Commonwealth entity; and (4) the defendant’s allegedly fraudulent transfer of assets from New York to Massachusetts. The court found these facts insufficient. While they provided a connection to Massachusetts, the judgment against the New York entity was obtained in New York. Thus, the substantial conduct giving rise to the Chapter 93A claim occurred outside the Commonwealth and the claim was dismissed.

ANOTHER BIG VICARIOUS LIABILITY WIN FOR TCPA DEFENDANT: Nevada Court Holds Providing Scripts and Training Alone Insufficient for TCPA Agency Liability

Hi TCPAWorld! Another huge vicarious liability win for a TCPA defendant!
The United States District Court for the District of Nevada has dismissed with prejudice all claims alleged by Plaintiff Kelly Usanovic (“Usanovic”) against Americana LLC (DBA Berkshire Hathaway HomeServices Nevada Properties or “BHHS”). Kelly Usanovic v. Americana, L.L.C., No. 2:23-cv-01289-RFB-EJY, 2025 WL 961657 (D. Nev. Mar. 31, 2025). The court concluded that Usanovic failed to plausibly allege that BHHS could be held liable for unsolicited calls made by its affiliated real estate agents under federal agency law principles.
Kelly Usanovic filed a class action lawsuit in August 2023 against BHHS alleging violations of the TCPA. Specifically, Usanovic claimed BHHS agents repeatedly called her cell phone despite it being listed on the National DNC Registry.
Usanovic alleged that BHHS should be vicariously liable under the TCPA, arguing that the company had provided training materials encouraging agents to cold-call consumers using third-party vendors like RedX, Landvoice, Vulcan7, and Mojo—vendors who purportedly supplied phone numbers on the National DNC Registry. Usanovic alleged these materials showed BHHS’s control and authorization of agents’ unlawful calls, seeking to hold BHHS responsible via agency theories of actual authority, apparent authority, and ratification.
Well, Judge Richard F. Boulware II disagreed and granted BHHS’s motion to dismiss WITH PREJUDICE reasoning that vicarious liability under the TCPA requires establishing a true agency relationship under federal common-law agency principles.
The court found that although BHHS was alleged to have provided general scripts, training, and recommendations on dialers and vendors, these actions alone were insufficient to establish an agency relationship. Critically, the Court underscored that Usanovic failed to allege essential elements of agency, such as BHHS’s direct control over the agents’ day-to-day call activities, the agents’ working hours, or their choice of leads. Simply offering resources and optional training sessions does not establish the requisite control necessary for vicarious liability under the TCPA.
On actual authority, the Court concluded that merely providing guidance to agents does not demonstrate authorization or instruction to call numbers listed on the Do Not Call Registry.
Regarding apparent authority, the Court stated that Usanovic did not plead any statements from BHHS that could reasonably lead her to believe the agents were authorized to violate the TCPA. The mere identification of agents as affiliated with BHHS was deemed insufficient.
Finally, for ratification, the Court found no allegations that BHHS knowingly accepted benefits from agents’ unauthorized calls or acted with willful ignorance.
Thus, because Usanovic’s complaint lacked plausible facts to support any of these common law agency theories, the court dismissed the TCPA claims with prejudice—denying further amendment due to prior opportunities to correct these deficiencies.
There you have it! Another court ruling that knowledge of illegality is required for vicarious liability to attach!

KEYS TO THE CASTLE: Castle Credit Stuck in TCPA Class Action Over Debt Collection Calls

TCPA class actions can be incredibly scary and pose a massive risk to callers of all sorts.
While the statute has generally been enforced against marketers as of late, servicers and collectors or debts may also find themselves in TCPA hot water, particularly if they are using prerecorded calls or ringless voicemail.
This is true even when a calling party originally has consent–that consent can burst like a bubble anytime a consumer asks for calls to stop. And it can be VERY difficult to prove a negative unless every call is recorded.
For instance in Cannon v. Castle Credit, 2025 WL 975805 (N.D. Ill April 1, 2025) a Defendant’s motion for summary judgment was denied–i.e. the collector must face trial–because the plaintiff claims he revoked his consent.
In Cannon Castle allegedly called Plaintif hundreds of times, including through the use of a ringless voicemail system (VoApps.)
Plaintiff claimed that he asked not to be called on several of those calls. However the Defendant’s records did not reflect the do not call request and calls continued.
Defendant moved for summary judgment arguing the Plaintiff’s inability to provide the specifics around his revocation coupled with the numerous call recordings of calls in which Plaintiff did not revoke consent demonstrated he never actually revoked as he claimed.
But the Court sided with Plaintiff finding his testimony that he revoked consent was sufficient admissible evidence to require a jury to figure out what really happened.
Making matters worse, although Defendant argued it had not used an ATDS the Court determined that did not matter– Castle’s concession it had used VoApps (a prerecorded RVM) meant it was potentially liable under 227(b) regardless of whether an ATDS was ued.
This last point is an important one to drive home. Even if calls are placed manually leaving a prerecorded voicemail will automatically trigger the TCPA. So be careful!
Also worth noting, this case arises out of a REVOCATION that allegedly went unheeded. Will in just 9 days the scope of revocation rules is about to EXPLODE. If you’re not ready for this you need to be! (The FCC has taken no action to stay the rule as of yet, although many are hoping it will.)

Alternative Paths: Court Denies Motion to Dismiss Quiet Hours Provision Claim

Many lawsuits in the past few months have claimed violations of 47 C.F.R. § 64.1200(c)(1) and 47 U.S.C. § 227(c)(2) (the “Quiet Hours Provision”) of the TCPA. Previously, the Quiet Hours Provision saw very few filings, meaning there is currently very little case law interpreting this area of law. On March 28, 2025, the District of New Jersey denied a motion to dismiss a Quiet Hours Provision claim—and potentially gave a preview of how the cases will be adjudicated in a practical manner.
In Jubb v. CHW Group Inc., No. 23CV23382 (EP) (MAH), 2025 WL 942961 (D.N.J. Mar. 28, 2025), the court denied a motion to dismiss which argued that the Quiet Hours Provision claim was duplicative of the plaintiff’s Do Not Call (“DNC”) claim. Id. at *7. The defendant in Jubb argued that the Quiet Hours Provision claim should be dismissed as duplicative of the DNC claim, because both claims arise from 47 U.S.C. § 227(c).
There is no doubt that both claims arise out of Section 227(c). Section 227(c)(5) of the TCPA is where we see a lot of claims—this is the DNC provision. The DNC provision provides that, when an individual whose phone number has been registered on the national DNC registry for more than thirty days receives more than one telephone solicitations in a twelve-month period, that individual has a private right of action. See 47 U.S.C. § 227(c)(5). Section 227(c)(2), on the other hand, implements additional regulations, including the Quiet Hours Provision, which provides the same private right of action for telephone solicitations made either before 8 a.m. or after 9 p.m., in the recipient’s local time. See 47 U.S.C. § 227(c)(2); C.F.R. § 64.1200(c)(1).
Ultimately, there is no doubt that post-trial recovery is limited to one violation of Section 227(c) per call, a point which neither party contested. Jubb, 2025 WL 942961, at *6. However, post-trial recovery is not the issue on a motion to dismiss. The Jubb court found that a plaintiff may plead multiple claims in the alternative—then limit recovery at the time of trial. See id.
Pleading alternative claims under Section 227(c) allows a plaintiff to seek certification of two different types of classes, either in the alternative or as part of a subclass, presenting a greater risk of liability for defendants. These alternative claims have always been permitted, even under Section 227(c), for instance with internal DNC list violations and external DNC violations. The Quiet Hours Provision now offers a new option for plaintiffs.
In a silver lining here for defendants, the court seemed to take heed of a recent petition made to the Federal Communications Commission. The Petition for Declaratory Ruling and/or Waiver of the Ecommerce Innovation Alliance and Other Petitioners, CG Docket Nos. 02-278, 21-402 (filed Mar. 3, 2025) seeks a declaratory ruling that the time zone of the recipient’s area code—rather than the recipient’s actual location—should be used to determine which time zone is the “recipient’s local time” under the Quiet Hours Provision.
The Jubb court did not directly cite the petition. However, the court did note that the Plaintiff had an area code that corresponded with the pacific time zone. Jubb, 2025 WL 942961, at *2. This is a much more practical and workable way to determine the recipient’s local time than looking to the recipient’s actual location.
Currently, the language of the Quiet Hours Provision requires a telemarketer to restrict telephone solicitations to between 8 a.m. and 9 p.m., based on “local time at the called party’s location.” C.F.R. § 64.1200(c)(1). Realistically, there is no way for a telemarketer to know the precise location of the individuals they contact. Even if a telemarketer knows and actively monitors the current physical address of their leads, the recipient could be on vacation or an extended business trip in Taiwan, changing the hours of the recipient’s local time. Using the recipient’s area code rather than their actual, physical location makes the most sense—but there is an argument that this reading is not directly supported by the plain language of the Quiet Hours Provision.
Even if the FCC petition is unsuccessful, the Jubb ruling provides some support for arguing that a recipient’s area code determines the recipient’s time zone, making the Quiet Hours Provision more workable from a compliance perspective.
We have seen many cases around the Quiet Hours Provision and have seen many voluntary dismissals of those same cases since then, likely from settlements. As case law begins to come out in this area, there are sure to be more updates to follow.

ICO Fines Advanced Computer Software Group £3 Million Following Ransomware Attack

On March 27, 2025, the UK Information Commissioner’s Office (“ICO”) announced that it had issued a fine against Advanced Computer Software Group (“Advanced”) for £3.07 million (approx. $4 million) for non-compliance with security rules identified through an investigation following a ransomware attack which occurred in 2022.
The ICO’s investigation found that personal data belonging to 79,404 people was compromised, including details of how to gain entry into the homes of 890 people who were receiving care at home. According to the ICO, hackers accessed certain systems of a group subsidiary via a customer account that did not have multi-factor authentication. The ICO also noted that it was widely reported that the security incident let to the disruption of critical services. The ICO concluded that the group subsidiary had not implemented adequate technical and organization measures to keep its systems secure.
Initially, the ICO intended to issue a higher fine against Advanced. However, it took into consideration Advanced’s proactive engagement with the UK National Cyber Security Centre, the UK National Crime Agency and the UK National Health Service in the wake of the attack, along with other steps taken to mitigate the risk to those impacted. The final fine represents a voluntary settlement agreed between the ICO and Advanced.

March 2025 PFAS Legislative Developments

Federal Legislature

One new bill was introduced.

State Legislature

Sixty six bills were introduced across fifteen states.
Topics include: Exemptions from PFAS bans; PFAS testing requirements; Establishing liability for PFAS contamination; Regulating PFAS contamination in water sources.

State Regulations

NH Env-Dw 1500 was published as a Final Rule. This is a rebate program for well water contaminated by PFAS. The purpose is to establish criteria and procedures for administering the PFAS removal rebate program for private wells.

New Bills This Period
PFAS Legislation

Federal

One new bill introduced.

State

Sixty six bills introduced.
One in CT
One in DE
One in FL
Eight in HI
One in IA
Five in ME
Nine in MA
Eighteen in MN
One in NM
Two in NY
Eight in NC
Two in PA
Four in RI
One in TX
Four in WI

Ghosted by Your Insurer? The Truth Behind Instant Claim Rejections

Ghosted by Your Insurer? The Truth Behind Instant Claim Rejections. Article written by: JJ Palmer, Consumer Law Specialist: Lawyer Monthly – Updated April 2025 More than a year ago, UnitedHealthcare Group Inc.’s CEO, Brian Thompson, faced intense backlash after it emerged that the company had implemented an artificial intelligence (AI) system designed to automatically reject […]

FTC Alleges Fintech Cleo AI Deceived Consumers

On March 27, 2025, the Federal Trade Commission (FTC) filed a lawsuit and proposed settlement order resolving claims against Cleo AI, a fintech that operates a personal finance mobile banking application through which it offers consumers instant or same-day cash advances. The FTC alleges that Cleo deceived consumers about how much money they could get and how fast that money could be available, and that Cleo made it difficult for consumers to cancel its subscription service.
Pointing to those allegations, the FTC alleges Cleo (1) violated Section 5 of the Federal Trade Commission Act (FTC Act) by misrepresenting that consumers would receive—or would be likely to receive—a specific cash advance amount “today” or “instantly” and (2) violated the Restore Online Shoppers’ Confidence Act (ROSCA) by failing to conspicuously disclose all material transaction terms before obtaining consumers’ billing information and by failing to provide simple mechanisms to stop recurring charges.
“Cleo misled consumers with promises of fast money, but consumers found they received much less than the advertised hundreds of dollars promised, had to pay more for same day delivery, and then had difficulty canceling,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection.
The FTC cites to consumer complaints in support of its action against Cleo, including one stating: “There’s no other way for me to say it. I need my money right now to pay my rent. I have no other option I can’t wait 3 days. I can’t wait 1 day I need it now. I would never have used Cleo if I would have thought I would ever be in this situation.”
The FTC’s Allegations
In its complaint, filed in the U.S. District Court for the Southern District of New York, the FTC alleges that Cleo violated Section 5 of the FTC Act by:

“Up To” Claims. Advertising that its customers would receive “up to $250 in cash advances,” and then, only afterthe consumer subscribes to a plan and Cleo sets the payment date for the subscription, is the consumer informed of the cash advance amount they can actually receive. For “almost all consumers, that amount is much lower than the amount promised in Cleo’s ads.”
Undisclosed Fees. Advertising that its customers would obtain cash advances “today” or “instantly,” when Cleo actually charges an “express fee”—sometimes disclosed in a footnote—of $3.99 to get the cash same-day, and, even then, the cash may not arrive until the next day.

In addition, the FTC’s complaint alleges that Cleo violated Section 4 of ROSCA by:

Inadequate Disclosures. Failing to clearly and conspicuously disclose all material terms before obtaining customers’ billing information.
Inadequate Cancellation Mechanisms. Failing to permit consumers with an outstanding cash advance to cancel their subscriptions through the app.

Proposed Consent Agreement
The FTC’s proposed consent order would be in effect for 10 years and require that Cleo pay $17 million to provide refunds to consumers harmed by the company’s practices. The consent order would restrict Cleo from misleading consumers about material terms of its advances and require that it obtain consumers’ express, informed consent before imposing charges. More specifically, the consent order:

Prohibits Cleo from misrepresenting the amount of funds available to a consumer, when funds will be available, any applicable fees (including the nature, purpose, amount, or use of a fee), consumers’ ability to cancel charges, or the terms of any negative option feature.
Requires Cleo to clearly and conspicuously disclose, prior to obtaining the consumer’s billing information, all material terms, including any charges after a trial period ends, when a consumer must act to prevent charges, the amount the consumer will be charged unless steps are taken to prevent the charge, and information for consumers to find the simple cancellation mechanism.
Requires Cleo provide a simple mechanism for a consumer to cancel the negative option feature, avoid being charged, and immediately stop recurring charges. Such cancellation method must be through the same medium the consumer used to consent to the negative option feature.

The Commission voted 2-0 to issue the Cleo complaint and accept the proposed consent agreement.
Takeaways
The FTC has increased enforcement activities for negative options, such as last year’s enforcement action against Dave, Inc., another cash advance fintech company, which we wrote about previously. This attention on negative options, and consumers’ ability to easily cancel negative options, may provide insight into the FTC’s regulatory agenda, given that the remainder of its Click-to-Cancel Rule takes effect on May 14, 2025.
The FTC recently filed a brief in defense of its Click-to-Cancel Rule, vigorously defending the FTC’s rulemaking against trade association challenges consolidated in the Eighth Circuit. The FTC’s brief puts an end to speculation that the Commission may rethink or roll back the rule given the recent administration change and shifts in FTC leadership.
Businesses should be preparing to adopt changes to implement the Click-to-Cancel Rule, to the extent not already in process. The FTC’s complaint against Cleo should also serve as a reminder that businesses that employ “up to” claims, complex fee structures, or negative option offers should be careful to monitor their conduct in light of developments within the FTC and the other federal and state agencies that police advertising and marketing practices.

CFTC Withdraws Pair of Advisories on Heightened Review Approach to Digital Asset Derivatives [Video]

On March 28, the staff of the Commodity Futures Trading Commission (CFTC) issued two press releases announcing the withdrawal of two previous advisories that reflected the agency’s heightened review approach to digital asset derivatives. 
These announcements appear to mark the end of the CFTC’s heightened review of digital asset products. The CFTC rules certainly still apply, but this seems to be a deliberate move by the CFTC to start treating digital asset derivatives like other CFTC-regulated products. It also gives a glimpse of how the CFTC would regulate digital asset spot transactions if Congress gives it the authority to do so.
The first advisory the CFTC withdrew was Staff Advisory No. 18-14, Advisory with Respect to Virtual Currency Derivative Product Listings, which was issued on May 21, 2018. The withdrawal is effective immediately. That advisory provided certain enhancements that CFTC-regulated entities were asked to follow when listing digital asset derivatives. These included enhanced market surveillance, closer coordination with the CFTC, reporting obligations, risk management and outreach to members and market participants. That advisory was withdrawn in its entirety, with the CFTC staff citing its increased experience with digital asset derivatives and that the digital asset industry has increased in market growth and maturity.
The second advisory the CFTC staff withdrew was Staff Advisory No. 23-07, Review of Risks Associated with Expansion of DCO Clearing of Digital Assets, issued on May 30, 2023. It stated that CFTC staff would focus on the heightened risks of digital asset derivatives to system safeguards, fiscal settlement procedures and conflicts of interest. 

EU: New European Consumer Protection Guidelines for Virtual Currencies in Video Games

On March 21, 2025, ahead of a consultation and call for evidence on the EU’s Digital Fairness Act, the Consumer Protection Cooperation (CPC) Network[1] highlighted the pressing need for improved consumer protection in the European Union, particularly regarding virtual currencies in video games. This move comes in response to growing concerns about the impact of gaming practices on consumers, including vulnerable groups such as children. The CPC Network has defined a series of key principles and recommendations aimed at ensuring a fairer and more transparent gaming environment. These recommendations are not binding and without prejudice to applicable European consumer protection laws[2] but they will likely guide and inform the enforcement of consumer protection agencies on national level across the EU.
What Are the Key Recommendations for In-Game Virtual Currency?
The CPC Network’s recommendations are designed to enhance transparency, prevent unfair practices, and protect consumers’ financial well-being. These principles are not exhaustive but cover several crucial areas:

Clear and Transparent Price Indication: The price of in-game content or services must be shown in both in-game currency and real-world money, ensuring players can make informed decisions about their purchases. (Articles 6(1)(d) and 7 of the UCPD, and Article 6 (1) (e) of the CRD)
Avoiding Practices That Obscure Pricing: Game developers should not engage in tactics that obscure the true cost of digital content. This includes practices like mixing different in-game currencies or requiring multiple exchanges to make purchases. The goal is to avoid confusing or misleading players.(Articles 6 (1) (d) and 7 of the UCPD, and Article 6 (1) (e) of the CRD)
No Forced Purchases: Developers should not design games that force consumers to spend more money on in-game currencies than necessary. Players should be able to choose the exact amount of currency they wish to purchase.(Articles 5, 8 and 9 of the UCPD)
Clear Pre-Contractual Information: Prior to purchasing virtual currencies, consumers must be given clear, easy-to-understand information about what they are buying. This is particularly important for ensuring informed choices.(Article 6 of the CRD)
Respecting the Right of Withdrawal: Players must be informed about their right to withdraw from a purchase within 14 days, particularly for unused in-game currency. This is crucial for ensuring consumers’ ability to cancel transactions if they change their mind.(Articles 9 to 16 of the CRD)
Fair and Transparent Contractual Terms: The terms and conditions for purchasing in-game virtual currencies should be written clearly, using plain language to ensure consumers fully understand their rights and obligations.(Article 3 (1) and (3) of the UCTD)
Respect for Consumer Vulnerabilities: Game developers must consider the vulnerabilities of players, particularly minors, and ensure that game design does not exploit these weaknesses. This includes providing parental controls to prevent unauthorized purchases and ensuring that any communication with minors is carefully scrutinized.(Articles 5-8 and Point 28 of Annex I of the UCPD)

These principles reflect the growing concern by European regulators of exploitation of consumers, particularly vulnerable groups such as children, in the gaming world. The European Consumer Organisation (BEUC) has strongly supported these measures, which aim to provide a safer, more transparent gaming experience for players.
Enforcement Actions and Legal Proceedings
On the same day, coordinated by the European Commission the CPC Network initiated legal proceedings against the developer of on online game. This action, driven by a complaint from the Swedish Consumers’ Association, addresses concerns about the company’s marketing practices, particularly those targeting children. Allegations include misleading advertisements urging children to purchase in-game currency, aggressive sales tactics such as time-limited offers, and a failure to provide clear pricing information.
A Safer Gaming Future
This enforcement action, along with the introduction of new principles, is part of the European Commission’s stated objective to ensure better consumer protection within the gaming industry. The Commission aims to emphasize the importance of transparency, fairness, and the protection of minors within gaming platforms.
What Should Video Game Companies and Gambling Operators Do Next?
In light of these new developments, video game companies and gambling operators especially those offering virtual currencies are well advised to review their practices to ensure ongoing compliance with existing EU consumer protection laws.
Failure to align with the above principles does not automatically mean that consumer laws are infringed but as the recent enforcement action shows could result in investigations and enforcement actions under the CPC Regulation or national laws. If gaming content is available across multiple EU countries, a coordinated investigation may be triggered, with the possibility of fines up to 4% of a company’s annual turnover.
To further support the industry, the European Commission is organising a workshop to allow gaming companies to present their strategies for aligning with the new consumer protection standards. This will provide a valuable opportunity for companies to share their plans and address any concerns related to these proposed changes. If you would like to know more, please get in touch.
FOOTNOTES
[1] The CPC Network is formed by national authorities responsible for enforcing EU consumer protection legislation under the coordination of the European Commission.
[2] Reference is made to Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 on unfair commercial practices (UCPD); the Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights (CRD); the Directive 93/13/EEC of 5 April 1993 on unfair terms in consumer contracts (UCTD).