UK ICO Launches Review of Children’s Privacy in Mobile Gaming
On December 1, 2025, the UK Information Commissioner’s Office (“ICO”) announced a new initiative to scrutinize privacy protections in mobile games frequently played by children in the UK. As digital gaming continues to grow in popularity among children, the review by the ICO signals renewed regulatory attention as to how mobile gaming platforms safeguard personal data of young users.
The ICO will conduct a monitoring program focusing on 10 mobile games widely used by children. The assessment will center on three critical areas:
Default Privacy Settings: Evaluating whether games are configured to protect children’s privacy from the outset.
Geolocation Controls: Scrutinizing how games handle location data and whether children’s whereabouts are adequately protected.
Targeted Advertising: Reviewing practices around serving targeted ads to children.
In addition to these core areas, the ICO’s review will consider any other privacy risks that emerge during the process.
This latest focus follows the ICO’s Children’s code strategy, which has previously led to significant improvements in children’s privacy standards on social media and video-sharing platforms.
Read the UK ICO press release here.
Connecticut, California and New York Reach Landmark Settlement for Student Data Breach
On November 6, 2025, Connecticut Attorney General William Tong, along with California Attorney General Rob Bonta and New York Attorney General Letitia James, announced a significant settlement stemming from the enforcement of Connecticut’s Student Data Privacy Law. This case marked the first enforcement action since the law’s enactment and involved Illuminate Education, Inc. (“Illuminate”), an educational technology provider whose 2022 data breach exposed sensitive information belonging to millions of students.
In December 2021, hackers gained access to Illuminate’s systems using credentials from a former employee. The hackers downloaded unencrypted database files containing sensitive information such as student names, birth dates, IDs, and demographic details. The number of students affected in each state was as follows:
Connecticut: 28,610 students
New York: 1.7 million students
California: 3 million students
Illuminate will pay a total of $5.1 million in penalties, distributed as follows:
$150,000 to Connecticut
$1.7 million to New York
$3.25 million to California
In addition to the monetary penalties above, the settlement requires Illuminate to implement comprehensive security measures, including:
employing specific safeguards, including maintaining data inventories, minimizing data and setting retention limits;
implementing proper access controls and authentication procedures;
conducting data security risk assessments and penetration testing;
monitoring vendors; and
providing a right to data deletion
What to Watch: Continued DTC Advertising Enforcement
Just before Thanksgiving, the Food and Drug Administration’s (“FDA’s”) Office of Prescription Drug Promotion (“OPDP”) silently published three untitled letters, furthering this administration’s promise to crack down on direct-to-consumer (“DTC”) prescription drug advertising.[1] The letters (which we’ll call “Letter 1,” “Letter 2,” and “Letter 3”) addressed familiar enforcement themes, such as omission or minimization of risk information, ad presentation and form, and promotion consistent with FDA-required labeling (“CFL”). The letters appeared to have been leftovers from the shutdown, dated from earlier in September when the crackdown was in full swing. This is why we refresh these pages daily.
Letter 1OPDP found a television ad for an oral cardiovascular medication misleading and, therefore, misbranded under the Food, Drug, and Cosmetics Act (“FDCA”), because it overstated the drug’s approved indication. Specifically, the ad represented that the drug was approved on the single endpoint of “reducing the risk of cardiovascular death” in adults with chronic kidney disease (“CDK”) or heart failure (“HF”); however, the drug’s FDA-approved Prescribing Information indicates that approval was based on more granular composite endpoints, including reduction of sustained estimated glomerular filtration rate decline, progression to end-stage kidney disease, cardiovascular or renal death in CDK patients, and reduction of cardiovascular death, hospital visits, or urgent visits in HF patients.
Letter 2OPDP found a webpage for a ketamine injection intended for surgical pain management misleading and, therefore, misbranded under the FDCA, because it promoted the benefits of the drug without communicating risk information and overstated the drug’s approved indication. Specifically, the webpage promoted the drug for pain management in all surgical and diagnostic procedures, but failed to communicate important use limitations from the drug’s FDA-approved Prescribing Information, including an exclusion for procedures requiring skeletal muscle relaxation and specifications that it be used before and/or as a supplement to other general anesthetic agents. OPDP found this especially concerning because this particular drug is a generic and the webpage misleadingly suggested that its intended use was broader than that of its reference listed drug. To wrap up its letter, OPDP also cited the company for failing to submit a copy of the webpage under a Form FDA-2253 prior to initial publication, as required by FDA regulations.
Letter 3OPDP found a television ad for an oral seizure medication misleading and, therefore, misbranded under the FDCA, because it promoted the benefits of the drug with minimized presentation of risk information. Specifically, the ad (i) excluded a warning concerning the risk of liver injury from the drug’s Prescribing Information; (ii) failed to disclose the risk of problems with the heart’s electrical system, as included in the drug’s FDA-approved labeling, despite the fact that the ad stated “[s]erious, life threatening allergic reactions or rash can occur, which may affect the liver, other organs, body parts, or blood cells, as can problems with the heart.” Additionally, certain material information from the drug’s major statement (i.e. the presentation of major risks required for all pharmaceutical television ads) was included in SUPERS but not in the corresponding audio, even though benefits were presented via SUPERS and audio.
FOOTNOTES
[1] See our post on OPDP’s previous enforcement under this administration.
TCPA AVALANCHE- TCPA Class Action Numbers Continue to Spike
It makes me chuckle when other sources suggest TCPA filings were “down” in October.
Yes, there were fewer filings in October than in September, but what is being missed is there were 45% MORE filings in October, 2024 than October, 2025– and that’s what matters when comparing trends.
What is also being missed– the 171 TCPA class actions filed in October, 2025 is 48% increase over the 115 TCPA class action filings in October, 2024.
Overall there have been 1,807 TCPA class actions filed in 2025 compared to 915 in 2024-meaning filings are up 97% year over year.
Here’s the breakdown:
2025
October, 2025: 235 TCPA, 171 Class Action (72.8%)
September, 2025: 287 TCPA, 224 Class Action (78.0%)
August, 2025: 232 TCPA, 162 Class Action (69.8%)
July, 2025: 273 TCPA, 198 Class Action (72.5%)
June, 2025: 257 TCPA, 202 Class Action (78.6%)
May, 2025: 199 TCPA, 159 Class Action (79.9%)
April, 2025: 235 TCPA, 184 Class Action (78.3%)
March, 2025: 242 TCPA, 187 Class Action (77.3%)
February, 2025: 196 TCPA, 148 Class Action (75.5%)
January, 2025: 207 TCPA, 172 Class Action (83.1%)
2024
October, 2024: 161 TCPA, 115 Class Action (71.4%)
September, 2024: 137 TCPA, 79 Class Action (57.7%)
August, 2024: 156 TCPA, 103 Class Action
July, 2024: 129 TCPA, 79 Class Action (61.2%)
June, 2024: 151 TCPA, 99 Class Action (65.6%)
May, 2024: 163 TCPA, 109 Class Action (66.9%)
April, 2024: 135 TCPA, 92 Class Action (68.1%)
March, 2024: 139 TCPA, 84 Class Action (60.4%)
February, 2024: 136 TCPA, 91 Class Action (66.9%)
January, 2024: 200 TCPA, 64 Class Action (32.0%)
Just crazy numbers.
Campus Event Safety- Practices for Campus Police Managing High-Profile and Controversial Events on Campus
Campus police play a critical role in ensuring the safety, security, and success of high-profile and potentially controversial events on campus. Recent incidents have highlighted the importance of proactive planning, clear protocols, and collaboration with campus stakeholders. This client alert offers practical tools and legal insights for campus law enforcement professionals and university leaders as they prepare to host large events or controversial events on campus with outside speakers.
This alert is the second in our series designed to provide colleges and universities with practical strategies for managing safety and legal risks associated with campus events. Our prior alert on campus event safety is available here. Our goal is to equip higher education leaders with actionable tips, legal insights, and best practices to ensure campus events remain safe, accessible, and consistent with institutional values and legal obligations. These are general recommendations and may not be suitable for every college or university. Institutions should work with legal counsel to develop actionable measures appropriate for their unique campus environment, policies, practices, and applicable law.
Risk management for campus police in managing high-profile or controversial events on campus starts with advance preparation and collaboration with various university departments, ensuring that potential issues are identified and mitigated early. Key risk management strategies for campus police departments include:
Early Coordination both On-Campus and Off-CampusCampus police departments must collaborate with scheduling offices, student affairs, and event organizers (and vice versa) to assess all high-profile and/or potentially controversial events. Using campus event registration forms, campus police and related campus offices are able to collect critical information for risk assessment: expected attendance, speaker profiles, event location, and planned activities.
Depending on the size and scope of the event, campus police should also be coordinating with local law enforcement in the city/town or state, as well as with the speaker’s private security detail (if applicable).
Security Planning and Threat AssessmentCampus police must develop event-specific security plans in consultation with event organizers, local law enforcement, and the speaker’s private security detail (if applicable). Campus police should use standardized tools to assess event risk, considering factors such as anticipated protest activity, speaker notoriety, crowd size and location logistics. These tools allow for risk assessment based on information about the event; however, information considered should not include the speaker’s viewpoint.
As part of this security planning, campus police need to have a designated point person (or group of persons) and assign designated security or police personnel to the event, with clear roles and authority to intervene if needed.
Infrastructure Controls and Crowd ManagementCampuses should consider holding high-risk events in venues where access can be controlled and monitored. Campus police or hired security should work with event organizers to restrict dangerous items, remove objects that could be weaponized, and set up physical barriers if warranted.
Campus event organizers should be made aware of campus policies on signs, amplified sound, and space usage. These policies apply, and should be enforced, regardless of the content of the speech at the event. Event staff, campus police, hired security, local law enforcement, and the speaker’s security detail (if applicable) should be briefed on these policies and how they are enforced on campus and during events.
Communication and TrainingEvent staff, campus police, hired security, local law enforcement, and the speaker’s security detail (if applicable) must all be briefed on emergency procedures, campus policies, and the event-specific security plan.
Depending on the risk profile of the event, tabletop exercises and scenario-based training may be used to prepare for potential protests, disruptions, or emergencies.
Monitoring and ResponseBefore and during the event, the campus should ensure that it is monitoring social media, campus communications, and local intelligence (if applicable) for indications of planned disruptions or threats. This could be led by the campus communications team with campus police support. Any relevant updates should be communicated to event organizers and campus police prior to and throughout the event.
Crisis management is activated when an incident occurs at an event and campus police respond, with swift, coordinated response to protect people, property, and institutional reputation. Key crisis management strategies include:
Activation of Emergency Protocols and Crisis TeamCampus police should be prepared to activate lockdown, evacuation, and emergency medical protocols when necessary. Key to this is ensuring rapid, clear communication with campus leadership, event organizers, and local and state police partners – and to the campus community.
Legal and Compliance ConsiderationsCampus police should remember to appropriately document all law enforcement actions and responses for Clery Act compliance and legal review. Campus legal counsel or outside counsel should be consulted before restricting speech or removing individuals from the event to ensure First Amendment and civil rights obligations are met, and to ensure that the university is complying with its own policies.
Post-Event Debrief and Policy UpdatesThe university should conduct after-action reviews with campus police, event organizers, legal counsel, and university leadership. As a result of this review, the university may want to update its policies and protocols and conduct training based on lessons learned and emerging best practices.
FinReg Monthly Update November 2025
Welcome to the FinReg Monthly Update, a regular bulletin highlighting the latest developments in UK, EU and U.S. financial services regulation.
Key developments in November 2025:
Asset Management / Wealth Management
17 November – Liquidity Management RTS: The European Commission has adopted Delegated Regulations containing regulatory technical standards (RTS) on liquidity management tools under the Alternative Investment Fund Managers Directive (2011/61/EU) (AIFMD) and the UCITS Directive (2009/65/EC).
17 November – Fund Valuation Standards: The International Organization of Securities Commissions (IOSCO) published a consultation report on updated recommendations on valuing collective investment schemes.
17 November – Depositary Supervision Review: ESMA published a report on the outcome of a peer review of the supervision of depositary obligations.
Sustainable Finance / ESG
20 November – SFDR 2.0 Legislative Proposal Launched: On 20 November 2025, the European Commission officially launched their legislative proposal for the updates to the Sustainable Finance Disclosure Regulation (“SFDR”). In a significant departure from the current SFDR disclosure regime, the European Commission proposes a categorisation regime for funds in its place. Please refer to our dedicated article on this topic here.
13 November – CSRD / CSDDD Simplification Mandate: On 13 November 2025, the European Parliament adopted its negotiating mandate on the European Commission’s Omnibus proposal to reduce the scope of the Corporate Sustainability Due Diligence Directive (EU) 2024/1760) and the Corporate Sustainability Reporting Directive ((EU) 2022/2464). Please refer to our dedicated article on this topic here.
13 November – NGFS Climate Scenario Guide: The Network for Greening the Financial System (NGFS) published an updated version of its guide to climate scenario analysis for central banks and supervisors.
11 November – Taxonomy Delegated Acts Review: The European Commission has published calls for evidence (CfEs) on two proposed Delegated Regulations amending the Taxonomy Climate Delegated Act ((EU) 2021/2139) and the Taxonomy Environmental Delegated Act ((EU) 2023/2486). Please refer to our dedicated article on this topic here.
10 November – ESRS ‘Quick Fix’ Regulation: Commission Delegated Regulation (EU) 2025/1416 amending Delegated Regulation (EU) 2023/2772 as regards the postponement of the date of application of the disclosure requirements for certain undertakings (referred to as the Quick Fix Regulation) was published in the Official Journal of the European Union, on 10 November 2025.
7 November – NGFS Climate Scenario Notes: The Network for Greening the Financial System (NGFS) published a series of explanatory notes to clarify and improve the usability of its long-term climate scenarios.
5 November – EBA Environmental Scenario Analysis: The EBA published a final report (EBA/GL/2025/04) on guidelines on environmental scenario analysis under the CRD IV Directive (2013/36/EU).
4 November – Updated SFDR Q&A: The Joint Committee of the European Supervisory Authorities (ESAs) published an updated version of its questions and answers (Q&A) (JC 2023 18) on the SFDR (EU) 2019/2088) and on Commission Delegated Regulation (EU) 2022/1288, which supplements the SFDR with regard to RTS on content and presentation of information (SFDR Delegated Regulation).
Securities / Capital Markets
28 November – Bond and Derivatives SI Regime: The FCA published a policy statement (PS25/17) on removing the systematic internaliser (SI) regime for bonds, derivatives, structured finance products and emission allowances.
27 November – Credit Builders and Data Collection: The FCA has published its regulation round-up for November 2025. Among other things, the FCA outlines its findings from a review of credit builder products, explains how it is standardising the way it collects financial data at the authorisation gateway and summarises its work on improved digital forms.
27 November – UK EMIR Margin Amendments: The PRA and the FCA published a joint policy statement on changes to the UK bilateral margin requirements for non-centrally cleared derivatives under UK EMIR (648/2012) (PRA PS23/25 / FCA PS25/16), which take the form of amendments to the binding technical standards (BTS) in the UK onshored version of Commission Delegated Regulation (EU) 2016/2251, supplementing UK EMIR.
21 November – FCA Fees and Levies Consultation: The FCA published a consultation paper on policy proposals for its regulatory fees and levies for 2026/27 (CP25/33).
21 November – UK Transaction Reporting Reforms: The FCA published a consultation paper (CP25/32) on proposed improvements to the UK transaction reporting regime.
20 November – Regulated Activities Amendment Order: The Financial Services and Markets Act 2000 (Regulated Activities) (Amendment) Order 2025 (SI 2025/1205) has been published on legislation.gov.uk.
19 November – Market Conduct Codes Recognition: The FCA published an updated version of its webpage on recognised industry codes to reflect the fact it has extended its recognition of the FX Global Code, the UK Money Markets Code and version 2 of the Global Precious Metals Code.
19 November – Equity Consolidated Tape Consultation: The FCA published a consultation paper on the proposed framework for introducing an equity consolidated tape (CT) in the UK run by a consolidated tape provider (CTP) (CP25/31).
12 November – Neo-Brokers Final Report: The IOSCO published its final report on neo-brokers.
5 November – FCA Intragroup EMIR Changes: The FCA published a consultation paper (CP25/30) proposing changes to its BTS on the intragroup exemption regime under UK EMIR (648/2012). The relevant BTS are the UK version of Commission Delegated Regulation (EU) 2016/2251 (BTS 2016/2251) and the UK version of Commission Delegated Regulation (EU) 149/2013 (BTS 2013/149).
5 November – UK EMIR Intragroup Amendments: HM Treasury published a draft version of the Over the Counter Derivatives (Intragroup Transactions) Regulations 2026, together with a policy note.
3 November – Overseas Recognition Regime Regulations: The Financial Services (Overseas Recognition Regime Designations) Regulations 2025 (SI 2025/1147) published on legislation.gov.uk.
3 November – Berne Agreement FCA Guidance: The FCA published guidelines for firms on the Berne Financial Services Agreement.
Financial Crime / Conduct / Sanctions
27 November – FOS 2026/27 Plans Consultation: The Financial Ombudsman Service (FOS) published a consultation paper on its proposed plans and budget for 2026/27.
26 November – SFO Compliance Programme Guidance: The Serious Fraud Office (SFO) published updated guidance on evaluating corporate compliance programmes in England, Wales and Northern Ireland. The guidance outlines six scenarios where the SFO assesses an organisation’s compliance programme, including decisions on prosecution, deferred prosecution agreements (DPAs), compliance terms or monitorships in DPAs, defences under the Bribery Act 2010 and the Economic Crime and Corporate Transparency Act 2023, and sentencing considerations.
21 November – Updated SARs Best Practice: The National Crime Agency published UKFIU SARs best practice guidance on how to use the SAR portal to submit a SAR to the UKFIU, how to help reporters submit a high-quality SAR and how to help reporters seek a defence under Proceeds of Crime Act 2002 (POCA) and the Terrorism Act 2000.
17 November – JMLSG AML/CTF Consultation: The Joint Money Laundering Steering Group (JMLSG) published, for consultation, proposed revisions to Part I of its anti-money laundering (AML) and counter-terrorist financing (CTF) guidance for the financial services sector.
14 November – FCA Regulatory Failure Investigations Policy: The FCA published a statement of policy on statutory investigations into regulatory failure and producing reports.
11 November – FCA Financial Crime Review Findings: The FCA published the findings from a multi-firm review focused on firms’ business-wide risk assessment (BWRA) and customer risk assessment (CRA) processes. The firms involved in the review included building societies, platforms, e-money firms and wealth management firms.
5 November – Financial Inclusion Strategy: HM Treasury published its new financial inclusion strategy, which sets out a national plan aimed at removing barriers to financial participation and building financial resilience.
5 November – BNPL Credit Broking Exemption: The Financial Services and Markets Act 2000 (Regulated Activities, etc.) (Amendment) (No 2) Order 2025 (SI 2025/1154) has been laid before Parliament and published on legislation.gov.uk with an explanatory memorandum. The Order will exempt domestic premises suppliers from credit broking regulation when they offer certain buy-now-pay-later (BNPL) credit products to customers.
3 November – Central Sanctions Enforcement Hub: A new sanctions enforcement action collections page launched by the Foreign, Commonwealth and Development Office (FCDO), the Office of Financial Sanctions Implementation (OFSI), and the Office of Trade Sanctions Implementation (OTSI).
Cryptoassets / Payments
27 November 2025 – IRSG Response on Crypto Consultation: The International Regulatory Strategy Group (IRSG) published its response to the FCA’s September 2025 consultation paper on the application of its Handbook to regulated cryptoasset activities (CP25/25).
26 November – Stablecoin Sandbox Cohort: The FCA publisheda new webpage announcing the launch of a special cohort within its Regulatory Sandbox for firms issuing stablecoins.
25 November – EP Resolution on AI in Finance: The European Parliament adopted a resolution on the impact of AI on the financial sector.
20 November – Property (Digital Assets) Bill: On 19 November 2025, the Property (Digital Assets etc) Bill passedits third reading in the House of Commons with no amendments. It is now awaiting Royal Assent.
18 November – Confirmation of Payee Compliance Report: The Payment Systems Regulator (PSR) published a compliance report on Specific Direction 17, which relates to the confirmation of payee system.
12 November – Tokenised Asset Markets Report: The Investment Association, together with the Investment Management Association of Singapore, published a report examining the challenges and opportunities in tokenised asset markets across the UK and Singapore.
11 November – Tokenisation of Financial Assets Report: The IOSCO published a final report (FR/17/25) discussing observations from a monitoring exercise conducted by its Fintech Task Force to determine how tokenisation and distributed ledger technology (DLT) is being developed and adopted in capital markets products and services.
10 November – BoE Systemic Stablecoins Consultation: The Bank of England (BoE) published a consultation paper on regulating sterling-denominated systemic stablecoins for UK payments issued by non-banks.
7 November – Retail Payments Infrastructure Strategy: HM Treasury published an update on the work of the Payments Vision Delivery Committee.
Artificial Intelligence / Digital Regulation
18 November – DORA Critical ICT Providers List: The ESAs published a list of designated critical ICT third-party service providers under the Regulation on digital operational resilience for the financial sector ((EU) 2022/2554) (DORA).
12 November – ECON Report on AI in Finance: The European Parliament’s Committee on Economic and Monetary Affairs (ECON) published a report on the impact of AI on the financial sector.
5 November – HM Treasury AI Skills Commission: HM Treasury published a letter to the Financial Services Skills Commission (FSSC) from Lucy Rigby MP, Economic Secretary to the Treasury, commissioning the FSSC to research and produce a report on AI skills needs, training and innovation in financial services.
Prudential / Remuneration
28 November – PRA Credit Union Assessment: The PRA published a letter it has sent to directors of credit unions, setting out the key findings from its 2025 assessment of these firms and the actions it expects firms to take.
26 November – MIFIDPRU Reporting Quality Review: FCA published its finding following a review of MIFIDPRU Reporting Quality.
26 November – FCA Reviews Data Quality in MIFIDPRU Prudential Reporting: The FCA published its findings on the quality of prudential regulatory reporting by MIFIDPRU investment firms, identifying good practice as well as areas for improvement including inconsistent data, incorrect firm classification and errors in reporting units.
25 November – IAIS Global Monitoring Exercise: The International Association of Insurance Supervisors (IAIS) published an updated version of its global monitoring exercise (GME) document for the period 2026-28, as well as a new set of ancillary risk indicators for the individual insurer monitoring (IIM) assessment methodology within the GME.
21 November – ComFrame and ICS Consultation: The IAIS published a consultation on developing its common framework for the supervision of internationally-active insurance groups (IAIGs) (ComFrame) to reflect the international capital standard (ICS). The related materials are available on the IAIS consultation webpage.
21 November – Joint Internal Model Authorisations ITS: Commission Implementing Regulation (EU) 2025/2338, amending Commission Implementing Regulation (EU) 2016/100 which contains implementing technical standards (ITS) on the joint decision process for internal models authorisation under the Capital Requirements Regulation (575/2013) (CRR), has publishedin the Official Journal of the European Union.
20 November – FSB Global Stability Priorities: The Financial Stability Board (FSB)published a letter from Andrew Bailey, FSB Chair, to G20 finance ministers and central bank governors ahead of their meeting on 22 and 23 November 2025.
18 November – EIOPA Macroprudential RTS: EIOPA published two final reports (report 1and report 2) containing draft RTS on new macroprudential tools that have been introduced under the Solvency II Directive (2009/138/EC), as amended by the Solvency II Amending Directive ((EU) 2025/2).
12 November – PRA Leverage Ratio Threshold: The PRA published a policy statement (PS22/25) on changes to the retail deposits threshold for application of the leverage ratio requirement.
7 November – CVA Risk Supervision Peer Review: The EBA published a peer review follow-up report analysing the effectiveness of the supervisory practices of competent authorities regarding their assessment of credit valuation adjustment (CVA) risk of the institutions under their supervision.
6 November – Market Risk Framework Consultation: The European Commission published a targeted consultation on the application of the market risk prudential framework.
3 November – Third-Country Branches Authorisation Guidelines: The EBA published a consultation paper on draft guidelines relating to the authorisation of third-country branches (TCBs) under the CRD IV Directive (2013/36/EU), as amended by the CRD VI Directive ((EU) 2024/1619).
Commission Payments / Motor Finance
5 November – Motor Finance Redress Scheme Update: The FCA published a statement providing an update on the progress and timing of its consultation (CP25/27) on a possible motor finance consumer redress scheme. The consultation deadline has been extended to 12 December 2025.
EU Financial Markets
28 November – MiCA Data Standards Statement: ESMA published a statement (ESMA75-1303207761-6284) on technical specifications for implementing a number of data standards and format requirements under the Regulation on markets in cryptoassets ((EU) 2023/1114) (MiCA).
24 November – AI Act Implications Factsheet: The EBA published a factsheet on the implications of the Artificial Intelligence Act ((EU) 2024/1689) (AI Act) for the EU banking and payments sector.
20 November – SFDR and PRIIPs Amendments Proposal: The European Commission adopted a proposed Regulation amending Regulation (EU) 2019/2088 on sustainability-related disclosures in the financial services sector and Regulation (EU) 1286/2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs Regulation), and repealing Commission Delegated Regulation (EU) 2022/1288 (SFDR RTS) (COM(2025) 841 final) (2025/0361 (COD)).
19 November – CRR Market Risk Call for Evidence: The European Commission published a call for evidence on a delegated act on the own funds requirements for market risk under the Capital Requirements Regulation (575/2013) (CRR).
14 November – Gibraltar Market Access Extension: The Financial Services (Gibraltar) (Amendment) (EU Exit) Regulations 2025 (SI 2025/1182) have been published on legislation.gov.uk, together with an explanatory memorandum.
U.S. Matters – Private Funds
20 November – CFTC: The US Senate Committee on Agriculture, Nutrition and Forestry advanced President Trump’s nominee for CFTC Chairman, Michael Selig, in his confirmation process. The nomination will now move to the full US Senate for consideration.
17 November – SEC Exams: The SEC’s Division of Examinations released its 2026 exam priorities. The SEC’s Division of Examinations’ priorities included adherence to fiduciary standards of conduct, particularly in business lines serving retail investors and focused on issues involving emerging technologies like artificial intelligence.
17 November – Rule 14a-8:The SEC’s Division of Corporation Finance published a statement that, during the 2025-2026 proxy season, it will generally not respond substantively to no-action requests from companies intending to rely on any basis for exclusion of shareholder proposals under Rule 14a-8, other than requests to exclude a proposal under Rule 14a-8(i)(1), which is typically used by companies seeking to exclude “ESG” related proposals.
12 November – U.S. Government Shutdown Ends:President Trump signed a bill to fund the government, ending the longest U.S. government shutdown in history and reopening the U.S. federal government. The SEC has resumed its operations, but SEC staff are currently working through a backlog of items received during the shutdown (e.g., reviewing new filings, resuming ongoing exams, etc.). The bill only funded the government until January 30, 2026, meaning the parties will need to reach agreement on an additional extension soon in order to avoid another shutdown.
Nathan Schuur, Robert Sutton, Rachel Lowe, Sasha Burger, Sulaiman Malik, and Michael Singh contributed to this article
NUMBERS DON’T LIE- Statistics Show Why TCPA Risk is 10x Higher Than Risk Posed By Other Consumer Protection Statutes
Just did a post on the avalanche of TCPA class actions that have been filed this year.
But I want to put a finer point on these statistics.
First, the TCPA is FAR more dangerous than other consumer protection statutes and carries far higher penalties– with billions of dollars in exposure in most TCPA class cases. These cases are potentially business-enders for virtually every defendant.
Second, the volume of TCPA class actions compared to other consumer protection statutes is just staggering. Because the TCPA does not have an attorney fee provision the only way for consumer lawyers to collect large fees in most cases is to drive defendants to settle on a classwide basis– so class actions are the norm in TCPAWorld compared to other statutes.
Just how big of a difference is it?
Well in 2025 there have been 1,807 TCPA class actions filed compared to 174 FDCPA class actions and 91 FCRA class action filings.
That means there have been over 10x more TCPA class actions than FDCPA class actions filed this year– and 20x more TCPA class actions than FCRA class actions!
And look at the percentages here:
Only 4.7% of FDCPA cases were filed as class actions in 2025.
Only 1.3% of FCRA cases were filed as class actions in 2025.
Yet a full 76.4% of TCPA cases were filed as class actions in 2025!
3 out of 4 TCPA cases are filed as potential business-ending class actions– that’s insane.
Without question the TCPA is absolutely the biggest risk to YOUR business. If you are engaging in any kind of outbound calling or texting you MUST get great lawyers on your side. You can’t chatgpt your way out of this folks.
FCC Alerts Broadcasters of Cybersecurity Threat
The Federal Communications Commission’s Public Safety and Homeland Security Bureau (PSHSB) has issued a Public Notice alerting broadcasters of a recent string of cybersecurity intrusions against radio broadcasters that resulted in the broadcasting of obscene materials and actual or simulated Emergency Alert System (EAS) tones. According to the FCC, these cybersecurity intrusions were caused by compromised studio-transmitter links where the threat actor(s) often accessed improperly secured Barix equipment and reconfigured it to broadcast attacker-controlled audio in lieu of station programming.
As a result, the PSHSB has requested that broadcasters, especially those using Barix equipment, ensure that they have adequate cybersecurity measures in place. Specifically, the FCC has recommended broadcasters to:
Apply all software security patches and firmware updates promptly.
Replace default passwords with strong alternatives and update them regularly.
Secure equipment that is interconnected to the broadcast signal processing system behind firewalls and use VPNs for remote access.
Monitor EAS equipment and software and audit logs for unauthorized activity.
Report incidents of unauthorized access to the FCC’s Operations Center at [email protected] and report cyberattacks to the Federal Bureau of Investigation’s Internet Crime Compliant Center (IC3) at https://www.ic3.gov/.
Review the FCC’s Communications Security, Reliability, and Interoperability Council’s best practices for EAS security.
The PSHSB has also recommended that broadcasters contact their EAS equipment manufacturers with any questions regarding the security of their equipment.
You’ve Received a Notice of Violation from the CPSC – Now What?
Each year, the U.S. Consumer Product Safety Commission (the “CPSC” or “Commission”) utilizes its import surveillance program, surveys the market, and reviews reports from consumers and companies, to identify violations of the federal statutes, regulations, and mandatory standards it enforces.1 The CPSC issues thousands of “Notices of Violation,”2 identifying alleged violations and requesting that the receiving manufacturer, importer, or retailer take certain corrective action.
For many companies in the consumer product industry, receiving a Notice of Violation (“NOV”) can feel daunting. But with an understanding of the CPSC’s purpose and process for NOVs and the implementation of certain best practices, companies can turn receipt of a NOV into an opportunity to build rapport with the CPSC and to reinforce and strengthen existing compliance practices. Ultimately, by responding to a NOV, companies can achieve two goals: (1) confirm only safe, compliant products are in the market and (2) reduce business risks and liabilities.
I Received a NOV: What Is It?
A NOV (sometimes called a “Notice of Noncompliance” or, at ports of entry, a “Letter of Advice”) is issued by the CPSC’s Office of Compliance under the Commission’s investigatory and enforcement authority.3Each NOV typically includes two components:4
An allegation of noncompliance, identifying the federal statute, regulation, and/or mandatory standard allegedly violated, such as the Consumer Product Safety Act, the Federal Hazardous Substances Act, or the Flammable Fabrics Act; and
Requested corrective action, identifying steps the CPSC wants taken to remedy the alleged noncompliance, which may include:
Correct Future Production. The CPSC may ask a company to correct the design or manufacturing process for a product to eliminate an identified defect(s) or meet a mandatory safety standard, while permitting continued distribution or sale of current inventory within the United States.
Product Seizure. The products may not make entry into the United States or be distributed. The final disposition of the seized products is determined by U.S. Customs and Border Protection (CBP).
Conditional Release of Products. The products will be conditionally released to a designated bonded warehouse where they will be quarantined and may not be sold, distributed, or moved without prior CPSC approval. The products must then be reconditioned such that they become compliant or destroyed.
Reconditioning. The company must remediate the products to be compliant with mandatory safety requirements.
Destruction. The company must destroy the products at its expense in a manner that renders the products unusable and disposed of in accordance with environmental regulations. Destruction must be completed within 30 calendar days and there may be additional requests to verify, such as submitting documents or consenting to inspection.
Stop Sale. The company must immediately stop the sale, distribution, and importation of the product and correct all future production. The company must also notify distributors and retail networks that the product violates federal safety requirements and that continued distribution and sale of the product violates federal law.
Stop Operation. The company must cease operation of the referenced product, which may include closure of the facility where the product is manufactured.
Recall. The company must remove the product from distribution and offer a no-cost recall remedy, such as a refund or replacement to consumers. The company must also immediately issue a stop sale and submit requested information.
Most identified violations from 2016 to 2019 involved tracking label requirements (26%), lead in children’s products (20%), and third-party certificate requirements (11%).5
I Received a NOV: What Are My Options?
Not every NOV leads to a recall, seizure or product destruction, whether requested by the CPSC or not. Upon receipt of a NOV, the recipient has two response options: agree or challenge.6
If the recipient agrees with the CPSC’s findings, the company may accept the corrective action outlined in the NOV or negotiate alternative corrective action with the CPSC. The CPSC will typically monitor implementation of the corrective action and close the case once the actions are “adequately” implemented.
If the recipient decides to challenge the CPSC’s findings and/or proposed corrective action, it should respond promptly and clearly state the reasons for any disagreement. A prompt response will open a dialogue with the CPSC and allow the company to answer questions, correct potential misconceptions, and prevent miscommunications. The company can also request an informal hearing with the Office of Compliance, especially if discussions otherwise reach an impasse.
While sometimes it is clear, many times the decision of how to respond requires the company to consider several factors, some of which can pull the company in different directions. Either way, the goal is two-fold: (1) confirm only safe, compliant products in the market, and (2) reduce business risks and liabilities. By implementing best practices, NOV recipients can achieve both goals.
I Received a NOV: What Should I Do?
In assessing a NOV and determining an appropriate response, companies should engage experienced counsel, understand and evaluate all risks, and take affirmative steps to implement best practices. Examples include:
Respond Immediately and Professionally. Acknowledge receipt of the notice promptly, thank the CPSC for bringing the matter to your attention, and indicate that you are assessing the alleged issue. Timely, respectful communication sets a productive tone.
Designate a Central Point of Contact. Assign a compliance officer or counsel to communicate with the CPSC on the NOV. This ensures consistency and timeliness, reduces the potential for misunderstandings, and conveys organizational discipline.
Engage your Proactive and Reactive Compliance Plans. Strong compliance programs and practices should implement proactive and reactive compliance plans that include reviewing new products, auditing existing ones, maintaining relevant documentation, and step-by-step processes for addressing product safety issues. Engaging these plans will help you to assess actual and perceived safety risks and noncompliance.
Share Relevant Compliance Documentation. Voluntarily provide the CPSC test reports, product specifications, and quality control records to substantiate safety commitments. This can demonstrate compliance, transparency, and good faith.
Engage in Collaborative Problem‑Solving. Offer potential solutions or practical alternatives. Demonstrating that you take safety seriously can influence the CPSC’s perception of your company.
Consider In‑Person or Virtual Meetings. Meeting with CPSC staff can humanize the company and the people working to solve the problem, clarify misunderstandings quickly, and help establish ongoing rapport.
Assess Your Culture of Compliance. Take this as an opportunity to assess your current compliance practices, reinforce what works well, and strengthen any practices which may not have functioned as intended. Strong compliance programs and practices foster a culture of compliance, prioritize safety over sales, and incentivize internal reporting.
By engaging in these best practices, companies can demonstrate proactive, good faith engagement with the CPSC, build rapport, avoid misunderstandings, reinforce and strengthen existing compliance practices, and ultimately reduce business risks and liabilities by lowering the possibility of unsafe and noncompliant products entering the market and limiting potential future disruptions from NOVs.
1 U.S. Gov’t Accountability Off., GAO-21-56, Consumer Product Safety Commission: Actions Needed to Improve Processes for Addressing Product Defect Cases (2020) https://www.gao.gov/assets/720/710988.pdf (noting that for the period of 2016-2019, the majority of alleged violations (825) were identified through the CPSC’s import surveillance program).
2 U.S. Gov’t Accountability Off., GAO-21-56, Consumer Product Safety Commission: Actions Needed to Improve Processes for Addressing Product Defect Cases (2020) https://www.gao.gov/assets/720/710988.pdf.
315 U.S.C. § 2054 (b)(1).
4U.S. Consumer Prod. Safety Comm’n, The Regulated Products Handbook (2013) https://www.cpsc.gov/s3fs-public/RegulatedProductsHandbook.pdf.
5 U.S. Gov’t Accountability Off., GAO-21-56, Consumer Product Safety Commission: Actions Needed to Improve Processes for Addressing Product Defect Cases (2020) https://www.gao.gov/assets/720/710988.pdf;
6Because a NOV is generally not considered a final agency action, they are not considered ripe for judicial review. See Jake’s Fireworks Inc. v. U.S. Consumer Prod. Safety Comm’n, 498 F. Supp. 3d 792, 806 (D. Md. 2020).
Employer Protection Against the Safety Responsibilities of Workers with Overseas Activities—Part 2
Tools for Companies to Implement Preventive Measures, Ensuring Compliance With Protection Obligations and Related Responsibilities
The need for worker protection has as reference figures the Head of the Prevention and Protection Service, the occupational health company doctor (OHCD), and the corporate functions that manage the company’s work activity abroad, also making use of qualified external support on the subject of risk assessment, personal safety, or medical emergencies with the need for medical repatriation to Italy.
The ”Travel Risk Management-Guide for Organizations” (ISO 31030:2021), is a key reference for companies operating globally. This standard provides a structured framework for identifying, assessing, and mitigating risks associated with business travel, enabling organizations to take proactive preventive measures and ensure timely action in the event of an incident or emergency.
ISO 31030 is the essential guide outlining the critical factors to be considered in both risk analysis and the planning and implementation of prevention and management strategies.
This configures in travel risk management (TRM), a process resulting from a clear and detailed understanding of the factors that can influence the dynamics of risk management, broadly divided into two categories: so-called “external” risks and “internal” risks.
“External” risks include: the political, socioeconomic, religious, and legal environment of the destination country; the level of crime; the quality and reliability of transportation and communications; environmental factors; potential health risks; and the quality of the healthcare and housing system. “Internal” risks include: types of business travel; technical and human resources available for risk management; internal processes; corporate governance; organizational structure, roles, and responsibilities.
The path indicated by TRM enables companies to have detailed policies to define corporate strategies for (i) TRM and adoption of procedures for risk prevention and mitigation; (ii) definition of roles and responsibilities, as well as staff training programs. In this way, a clear corporate system of reference is built, enabling the company to protect the health and safety of its employees during missions abroad.
In these activities, the company profiles that manage safety and health protection, provided for by Legislative Decree 81/08—RSPP, OHCD, dedicated company functions—can avail themselves of consulting support from public or private facilities of proven competence and professionalism, which assist them in the assessment and management of risks related to working abroad.
A further application tool is represented by the September 2024 Guidelines of the Italian Society of Occupational Medicine (SIML), which focus on the articulated and specific aspects of health protection of Italian workers abroad and the mention of application tools that enable companies to fulfill their regulatory obligations punctually.
The “Professional Orientation Document for the Competent Physician: Practical-Management Aspects for Workers Abroad” represents a milestone in harmonizing scientific knowledge and experience and makes available indications on the health protocols to be adopted, consistent with international best practices and the company’s protection needs.
The document provides the health contribution to the process of risk assessment for work activity in critical geographical areas, highlighting the relevance of factors that can determine damage to the health of the worker working in that context and absent in the national territory (climate, infection vectors, general hygienic conditions). This is the aspect that requires the employer to extend its position of guarantee even regarding the “specific” risks of working abroad and, ultimately, to integrate the prevention measures adopted in the national territory of Italy.
The perimeter outlined by ISO 31030 and the SIML Guidelines makes available to employers and safety professionals the compliance parameters to be followed to structure an effective TRM policy aimed at minimizing travel-related health and safety risks for workers. These parameters are now commonly recognized internationally and represent a solid reference for the company to assess liability in case of litigation.
From Country Risk Assessment to Workers Health Surveillance: Implementation of the TRM Plan and Application Model
The risk assessment for working abroad, supported by the methodological indications of the SIML guidelines and ISO 31030, considers the geographical area and the country of destination with all its variables (climate, infection vectors, level of health care, geopolitical stability) and thus defines the so-called “country risk.” It follows with a progressive pathway for the health surveillance of personnel i.e., periodic medical checks according to country- or destination-specific health protocols, based on the parameters identified by the risk assessment.
It is necessary to identify within the company, with the support of the OHCD, functions of reference for the management of expatriate workers, which allow to manage the organization of the “TRM prevention system”, as suggested by the International Labor Office back in 1985.
Footnotes
ISO 31030:2021 guidelines;
Italian Society of Occupational Medicine Guideline: “Professional Orientation Document for the Competent Physician: Practical-Management Aspects for Workers Abroad” – 2024;
Proceedings of the 86th National Congress of Occupational Medicine – Pisa 2024, Italian Journal of Occupational Medicine and Ergonomics (GIMLE) 253–254.
Dr. Vincenzo Nicosia and Professor Paolo Bianco contributed to this article
B2B TCPA NIGHTMARE- Court Refuses to Credit Deposition Testimony at Motion to Dismiss Phase– Allows DNC Claim to Proceed Despite Apparent Business Use of Phone
B2B callers are constantly facing TCPA DNC risk despite the fact the DNC supposedly only applies to residential lines.
The issue, of course, is that cell phones are often used for both business and personal use–especially after COVID. And courts have been very clear about holding a mix use cell phone can still be residential.
Well in Koeller v. Cyflare, 2025 WL 3280316 (E.D. Mo. Nov. 25, 2025) we have an interesting test case because not only was the phone used for business purposes in addition to residential, the business actually paid a stipend for the phone!
Now that’s interesting.
However the court did not dive into the tricky issues raised by the fact scenario because the use of the phone was not pleaded on the face of the complaint– but only in deposition testimony. And since defendant only moved to dismiss the court could not credit the testimony and had to allow the complaint to live on.
The Court also found allegations of willful harm were sufficient to survive the pleadings stage as well– so even though the defendant tried to call a business number (and may have) it is still facing a TCPA class action and enhanced treble damages.
That’s the TCPAworld for you.
B2B callers need to keep the real-world risk of TCPA class actions in the back of their minds. You can’t just buy a list off of Zoom and fire away. Smart money is on scrubbing out cell phones that are on the DNC list– just too much risk not to.
SILENT SWITCH? New Lawsuit Alleges Google Uses Gemini AI to “Secretly” Read Gmail, Chat, and Meet Conversations
The latest in a spate of lawsuits targeting AI tools, a new putative class action filed in the Northern District of California alleges that tech giant Google activated its Gemini AI features across its portfolio of services without obtaining user consent, in violation of the California Invasion of Privacy Act (“CIPA”).
According to the complaint, Google previously offered Gemini “Smart features” as an opt-in tool, but allegedly switched this setting on for all Gmail, Chat, and Meet accounts on or around October 10, 2025, enabling its AI to track users’ private communications in those platforms without knowledge or consent in violation of CIPA Section 632, which prohibits the recording of confidential communications without consent. The filing states that Google tracks these private communications with Gemini by default, requiring users to affirmatively find this data privacy setting and shut it off, despite never “agreeing” to such AI tracking in the first place. The complaint alleges that despite this setting being in default “opt out” status since October 10, the setting is still worded as an “opt in” feature: “When you turn this setting on, you agree . . .” According to the complaint, this renders the privacy settings offered by Google effectively meaningless.
The plaintiff, Thomas Thele, alleges he did not turn on this setting, was not notified of the change, and did not consent to the collection or analysis of information contained in his communications. While Thele does not identify the precise Gmail, Chat, and/or Meet communications that he sent or received with the “Smart features” setting turned on, the complaint identifies the categories of information that could allegedly be derived from these communications, including financial records, employment information, medical information, political and religious affiliations, the identities of family members and contacts, and social habits and activities,.
Plaintiff purports to represent the following potentially massive class: “All natural persons residing in the United States with Google accounts whose private communications in Gmail, Chat, and/or Meet were tracked by Google’s Gemini AI after Google turned on “Smart features” in those persons’ data privacy account settings.”
In response to viral social media posts accusing Google of automatically opting Gmail users into AI model training through its “smart features,” Google has issued a statement refuting claims that it uses Gmail content to train the Gemini AI model. However, the sufficiency and truth of Plaintiff Thele’s allegations are yet to be tested. We’ll keep a close eye on this one.
The case is Thele v. Google, LLC, No. 5:25-CV-09704 (N.D. Cal. Nov. 11, 2025).