The CIO-CMO Collaboration: Powering Ethical AI and Customer Engagement
The rapid advancement of artificial intelligence (AI) technologies is reshaping the corporate landscape, offering unparalleled opportunities to enhance customer experiences and streamline operations. At the intersection of this digital transformation lie two key executives—the Chief Information Officer (CIO) and the Chief Marketing Officer (CMO). This dynamic duo, when aligned, can drive ethical AI adoption, ensure compliance, and foster personalized customer engagement powered by innovation and responsibility.
This blog explores how the collaboration between CIOs and CMOs is essential in balancing ethical AI implementations with compelling customer experiences. From data governance to technology infrastructure and cybersecurity, below is a breakdown of the critical aspects of this partnership and why organizations must align these roles to remain competitive in the AI-driven world.
Understanding Ethical AI: Balancing Innovation with Responsibility
Ethical AI isn’t just a buzzword; it’s a guiding principle that ensures AI solutions respect user privacy, avoid bias, and operate transparently. To create meaningful customer experiences while addressing the societal concerns surrounding AI, CIOs, and CMOs must collaborate to design AI applications that are innovative and responsible.
CMOs focus on delivering dynamic, real-time, and personalized interactions to meet rising customer expectations. However, achieving this requires vast amounts of personal data, potentially risking violations of privacy regulations like the General Data Protection Regulation and the California Consumer Privacy Act. Enter the CIO, who ensures the technical infrastructure adheres to these laws while safeguarding the organization’s reputation. Together, the CIO and CMO can delicately balance between leveraging AI for customer engagement and adhering to responsible AI practices.
The Role of Data Governance in AI-Driven Strategies
Data governance is the backbone of ethical AI and compelling customer engagement. CMOs rely on customer data to craft hyper-personalized campaigns, while CIOs are charged with maintaining that data’s the security, accuracy, and ethical usage. Without proper governance, organizations risk breaches, regulatory fines, and, perhaps most damagingly, a loss of trust among consumers.
Collaboration between CIOs and CMOs is necessary to establish clear data management protocols; this includes ensuring that all collected data is anonymized as needed, securely stored, and utilized in compliance with emerging AI content labeling regulations. The result is a transparent system that reassures customers and consistently delivers high-quality experiences.
Robust Technology Infrastructure for AI-Powered Customer Engagement
For AI to deliver on its promise of customer engagement, organizations require scalable, secure, and agile technology infrastructure. A close alignment between CIOs and CMOs ensures that marketing campaigns are supported by IT systems capable of handling diverse AI workloads.
Platforms driven by machine learning and big data analytics allow marketing teams to create real-time, omnichannel campaigns. Meanwhile, CIOs ensure these platforms integrate seamlessly into the organization’s technology stack without sacrificing security or performance. This partnership allows marketers to focus on innovative strategies while IT supports them with reliable and forward-thinking infrastructure.
Cybersecurity Challenges and the Integrated Approach of CIOs and CMOs
Customer engagement strategies powered by AI rely heavily on consumer trust, but cybersecurity threats lurk around every corner. According to Palo Alto Networks’ predictions, customer data is central to modern marketing initiatives. However, without an early alignment between CIOs and CMOs, the organization is exposed to risks like data breaches, compliance violations, and AI-related controversies.
A proactive collaboration between CIOs and CMOs ensures that potential vulnerabilities are identified and mitigated before they evolve into full-blown crises. Measures such as end-to-end data encryption, regular cybersecurity audits, and robust AI content labeling policies can protect the organization’s digital assets and reputation. This integrated approach enables businesses to foster lasting customer trust in a world of increasingly sophisticated cyber threats.
Case Studies: Successful CIO-CMO Collaborations
Case Study 1: A Retail Giant’s TransformationOne of the world’s largest retail chains successfully transformed its customer experience through the CIO-CMO collaboration. The CIO rolled out a scalable AI-driven recommendation engine, while the CMO used this tool to craft personalized shopping experiences. The result? A 35% increase in customer retention within a year and significant growth in lifetime customer value.
Case Study 2: Financial Services LeaderA financial services firm adopted an AI-powered chatbot to enhance its customer service. The CIO ensured compliance with strict financial regulations, while the CMO leveraged customer insights to refine the chatbot’s conversational design. Together, they created a seamless, trustworthy digital service channel that improved customer satisfaction scores by 28%.
These examples reinforce the advantages of partnership. By uniting their expertise, CIOs and CMOs deliver next-generation strategies that drive measurable business outcomes.
Future Trends in AI, Compliance, and Executive Collaboration
The evolving landscape of AI, compliance, and customer engagement is reshaping the roles of CIOs and CMOs. Here are a few trends to watch for in the coming years:
AI Transparency: Regulations will increasingly require companies to disclose how AI models were trained and how customer data is used. Alignment between CIOs and CMOs will be vital in meeting these demands without derailing marketing campaigns.
Hyper-Personalization: Advances in machine learning will allow marketers to offer even more granular personalization, but this will require sophisticated data-centric systems designed by CIOs.
AI Content Labeling: From machine-generated text to synthetic media, organizations must adopt clear labeling practices to distinguish between AI-driven and human-generated content.
By staying ahead of these trends, organizations can cement themselves as leaders in ethical AI and customer engagement.
Forging a Path to Sustainable AI Innovation The digital transformation of business will continue to deepen the interconnected roles of the CIO and CMO. These two leaders occupy the dual pillars required for success in the AI era—technology prowess and customer-centric creativity. By aligning their goals and strategies early on, they can power ethical AI innovation, ensure compliance, and elevate customer experiences to new heights.
EnforceMintz — Novel Criminal Charges and Emerging Civil Trends from Opioid Enforcement in 2024
In past years we have discussed how opioid-related enforcement efforts have remained a top federal and state priority (here, here, and here). In 2024, opioid-related enforcement efforts continued across the entire opioid supply chain, and two themes dominated the most significant opioid cases and resolutions of 2024. First, two major settlements from the past year highlight examples of allegations that crossed a line, prompting the government to pursue criminal charges. Second, a number of recent cases against pharmacies involve a common theory of liability based on the Controlled Substances Act (CSA), which served as the basis for civil liability under the False Claims Act (FCA).
Opioid-Related Criminal Resolutions
In February 2024, Endo, a pharmaceutical manufacturer that previously filed for bankruptcy, reached a global resolution of various criminal and civil investigations into the company’s sales and marketing of opioid drugs. The company agreed to pay the government $464.9 million over 10 years (though the actual total payment amount will likely be much lower due to bankruptcy).
To resolve the criminal investigation, Endo agreed to plead guilty to a one-count misdemeanor charge for violations of the federal Food, Drug, and Cosmetic Act (FDCA). That charge related to the company’s marketing of the drug’s purported abuse deterrence, tamper-resistant, or crush-resistant properties to prescribers, despite a lack of supporting clinical data. In the plea agreement, the company admitted responsibility for misbranding its opioid drug by marketing the drug with a label that failed to include adequate directions for its claimed abuse deterrence use, in violation of the FDCA.
More recently, in December 2024, McKinsey & Company, a worldwide management consulting firm, agreed to pay $650 million to resolve criminal and civil investigations related to the firm’s consulting work for Purdue Pharma, the maker of OxyContin. As noted in the government’s press release, the McKinsey resolution was the first time a management consulting firm has been held criminally responsible for its advice resulting in a client’s criminal conduct.
The two-count criminal charging document accused McKinsey of conspiring to misbrand a controlled substance and obstruction of justice. The conspiracy charge related to McKinsey’s work to “turbocharge” OxyContin sales by targeting high-volume opioid prescribers. The obstruction charge arose from the alleged deletion by a senior partner of certain documents related to the company’s work for Purdue. To resolve those charges, McKinsey entered into a five-year deferred prosecution agreement (DPA). Under the DPA, McKinsey agreed not to do any consulting work related to the marketing, sale, or distribution of controlled substances and agreed to implement significant changes to its compliance program. Separately, the former McKinsey senior partner who allegedly destroyed records relating to the company’s work for Purdue was charged with obstruction of justice and agreed to plead guilty to that charge.
These two resolutions are relevant to all entities in the opioid supply chain, from manufacturers to consultants and all stakeholders in between. Sales and marketing practices, or abuse deterrence claims or practices targeting prescribers based on volume, can lead to both civil liability and potential criminal exposure.
Pharmacies Face Potential FCA Liability Based on CSA Violations
On the civil side, three opioid enforcement actions were particularly noteworthy. Three years ago, we highlighted some of the first pharmacy-related resolutions, which showed that pharmacies were “next in line” for opioid related enforcement. In 2024, two substantial settlements involved alleged CSA violations giving rise to FCA liability. A third FCA lawsuit filed in December 2024 against the nation’s largest pharmacy shows that this trend will likely continue in 2025 and beyond.
In July 2024, Rite Aid and its affiliates agreed to settle allegations brought by the government related to its opioid dispensing practices. Rite Aid had previously filed for bankruptcy, so the settlement agreement involved a payment of $7.5 million, plus a general unsecured claim of $401.8 million in the bankruptcy case.
The government alleged that Rite Aid pharmacists dispensed unlawful prescriptions and failed to investigate “red flags” before dispensing opioid prescriptions, then improperly submitted claims to the government for reimbursement of those prescriptions. The government alleged that the company dispensed unlawful prescriptions by (1) filling so-called “trinity” prescriptions, which are a combination of opioid, benzodiazepine, and muscle relaxants; (2) filling excessive quantities of opioid prescriptions; and (3) filling prescriptions written by prescribers previously identified as suspicious by pharmacists.
Similarly, in December 2024, Food City, a regional grocery store and pharmacy based in Virginia agreed to pay $8.48 million to resolve allegations that it dispensed opioids and other controlled substances in violation of the CSA and the FCA. Like the Rite Aid case, the government alleged that these prescriptions were medically unnecessary, lacked a legitimate medical purpose, or were not dispensed pursuant to valid prescriptions. The government alleged that Food City ignored “red flags” including, among other things, (1) prescribers who wrote unusually large opioid prescriptions; (2) early refills of opioids; (3) prescriptions for unusual quantities or combinations of opioids; and (4) patients who were filling prescriptions for someone else, driving long distances to fill prescriptions, or paying cash for prescriptions.
Also in December 2024, the Department of Justice announced that it had intervened in a nationwide lawsuit alleging that CVS Pharmacy filled unlawful prescriptions in violation of the CSA and sought reimbursement for those prescriptions in violation of the FCA. The lawsuit is currently pending. The theory of liability asserted against CVS is similar to the Rite Aid and Food City cases: CVS allegedly filled unlawful prescriptions, ignored “red flags” of abuse and diversion, and sought reimbursement from federal health care programs for unlawful prescriptions in violation of the FCA.
Under the CSA and applicable regulations, pharmacists dispensing controlled substances, like opioids, have a “corresponding responsibility” to ensure that the prescription was issued for a legitimate medical purpose. 21 C.F.R. § 1306.04(a). Exercising that corresponding responsibility requires identifying and resolving “red flags” before filling a prescription. There is no defined list of what the government deems to constitute “red flags” and determining the existence of red flags is often context dependent. Because FCA lawsuits based on alleged CSA violations appear to be a growing trend, these three cases provide helpful guidance for companies seeking to mitigate risk by implementing corporate compliance programs designed to identify and resolve “red flags” related to opioid prescriptions.
California AG Issues AI-Related Legal Guidelines for Developers and Healthcare Entities
The California Attorney General published two legal advisories this week:
Legal Advisory on the Application of Existing California Laws to Artificial Intelligence
Legal Advisory on the Application of Existing California Law to Artificial Intelligence in Healthcare
These advisories seek to remind businesses of consumer rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, CCPA), and to advise developers who create, sell, or use artificial intelligence (AI) about their obligations under the CCPA.
Attorney General Rob Bonta said, “California is an economic powerhouse built in large part on technological innovation. And right alongside that economic might is a strong commitment to economic justice, workers’ rights, and competitive markets. We’re not successful in spite of that commitment — we’re successful because of it [. . .] AI might be changing, innovating, and evolving quickly, but the fifth largest economy in the world is not the wild west; existing California laws apply to both the development and use of AI. Companies, including healthcare entities, are responsible for complying with new and existing California laws and must take full accountability for their actions, decisions, and products.”
Advisory No. 1: Application of Existing California Laws to Artificial Intelligence
This advisory:
Provides an overview of existing California laws (i.e., consumer protection, civil rights, competition, data protection laws, and election misinformation laws) that may apply to companies that develop, sell, or use AI;
Summarizes the new California AI law that went into effect on January 1, 2025, such as:
Disclosure Requirements for Businesses
Unauthorized Use of Likeness
Use of AI in Election and Campaign Materials
Prohibition and Reporting of Exploitative Uses of AI
Advisory No. 2: Application of Existing California Law to Artificial Intelligence in Healthcare
AI tools are used for tasks such as appointment scheduling, medical risk assessment, and medical diagnosis and treatment decisions. This advisory:
Provides guidance under California law, i.e., consumer protection, civil rights, data privacy, and professional licensing laws—for healthcare providers, insurers, vendors, investors, and other healthcare entities that develop, sell, and use AI and other automated decision systems;
Reminds such entities that AI carries harmful risks and that all AI systems must be tested, validated, and audited for safe, ethical, and lawful use;
Informs such entities that they must be transparent about using patient data to train AI systems and alert patients on how they are using AI to make decisions affecting their health and/or care;
This is yet another example of how issues related to the safe and ethical use of AI will likely be at the forefront for many regulators across many industries.
New Extended Producer Responsibility Requirements for Companies Selling Tobacco and Nicotine Products in Single-Use Packaging
A wave of new “Extended Producer Responsibility” or “EPR” programs is beginning to impact companies placing packaged products, including tobacco products, on the market in U.S. states, including California, Colorado, Maine, Minnesota, and Oregon.
The five EPR programs for packaging enacted thus far have different facets. However, at their core, each of the EPR programs requires companies that sell packaged products (with some limited exceptions) to join a newly formed, state-recognized organization (typically called a “Producer Responsibility Organization” or “PRO”) and pay annual dues based on the amount and type of packaging placed on the market in that state. California’s PRO, for one, must collect $500,000,000 annually from producers of covered products, like single-use packaging. Producers also will need to eventually meet certain sustainability goals for single-use packaging, such as ensuring compostability or recyclability of packaging or meeting minimum post-consumer recycled content targets. What is more, the EPR programs encompass not just primary packaging that directly contacts a good, but often shipping and display packaging as well.
As noted above, the EPR program obligations typically fall on the “producer” of the covered product. In the case of single-use packaging, the states have generally defined producer to mean the brand owner that places a packaged good on the market. For example, an e-cigarette or nicotine pouch company that sells or distributes its branded (tobacco-flavored) e-cigarette or pouch in California would be considered the “producer” of any single-use packaging associated with the finished product, even if the e-cigarette or pouch company did not manufacture the packaging itself. Accordingly, it is the companies marketing the finished products, not packaging companies, that will need to register as producers of tobacco product packaging in the states with packaging EPR programs.
Certain state EPR programs – including Colorado’s and Minnesota’s – also include “paper products” as a covered product. While tobacco companies making roll-your-own (RYO) papers and other such paper-based products may be able to avail themselves of certain exemptions, they must assess this on a case-by-case basis.
In this regard, the state EPR programs include various exemptions for producers and covered products, such as exemptions for small-volume producers and exemptions for certain types of packaging, like infant formula packaging. However, the existing EPR laws do not include any explicit exemptions for tobacco product packaging or paper used in tobacco products. Accordingly, absent another applicable exemption, tobacco product manufacturers are likely to meet the producer definition under the state EPR laws, and thus will need to register with applicable state PROs, pay dues based on the product packaging sold in the state, and eventually meet certain goals for the packaging.
In complying with the state EPR schemes, the tobacco and nicotine product industries can expect to face not only supply chain challenges (e.g., the availability of post-consumer recycled content), but also possibly significant regulatory hurdles under the Family Smoking Prevention and Tobacco Control Act. Under the EPR programs, producers may need to make changes to product packaging to meet sustainability targets. Changes to the container-closure system for a legally marketed tobacco product may well require a new premarket authorization from the U.S. Food and Drug Administration (FDA), which can be a costly and timely endeavor.
In terms of implementation timelines, the states will be rolling out their EPR requirements on differing schedules. The deadline for producers to register with Colorado’s PRO occurred on October 1, 2024, while in California, a deadline to register with the PRO has not been established, but the state has proposed a rule that would require producers to register with CalRecycle later this year. Eventually, producers of covered products will be prohibited from selling in states with EPR programs unless they are registered and participating in the programs.
EPR programs for packaging are likely to spread. Numerous other states have considered or are now considering EPR bills, including New York and New Jersey.
Privacy Tip #427 – Ahead of the TikTok Ban, Users are Turning to Another Chinese App with Similar Privacy Concerns – What you Should Know
TikTok users are seeking alternate platforms to share and view content as the U.S. is set to ban the popular social media app on January 19, 2025. Instead of turning to U.S.-based companies like Facebook or Instagram, users are flocking to another Chinese app called Xiaohongshu, also known as RedNote. The app, which previously had little presence in the U.S. market, shot up to the most downloaded app in Apple’s app store this week. RedNote shares similarities to Yelp, where users share recommendations, but it also allows users to post short clips, similar to the soon-to-be-banned TikTok.
While some of these TikTok users choose to switch to RedNote because of the similar short-form video format, other users appear to be purposefully choosing another Chinese-owned app as a form of protest. Either way, ordinary American and Chinese citizens can easily interact in new ways on the internet through RedNote.
However, RedNote includes many of the same privacy and national security issues that the U.S. government raised concerning TikTok. Although many users ordinarily ignore privacy policies, RedNote’s privacy policy is written in Mandarin, making it even more difficult (and in some cases impossible) for users to understand. A translation of the privacy policy indicates that RedNote collects sensitive data like a user’s IP address and browsing habits. As a Chinese-based app, RedNote is also similarly subject to the Chinese data laws that led U.S. lawmakers to ban TikTok. The TikTok ban could eventually be extended to include RedNote and other Chinese (and other foreign country) apps national security and privacy concerns exist. With other short-form video services (e.g., Instagram Reels and YouTube Shorts) provided by U.S. companies, users do not need to expose their personal data to Chinese-based companies. Additionally, using RedNote to circumvent the TikTok ban could be problematic, particularly for government workers with security clearances. RedNote is not worth these risks, and Americans should avoid downloading it.
Recent Developments in Health Care Cybersecurity and Oversight: 2024 Wrap Up and 2025 Outlook
As Cyberattacks targeting the health care sector have continued to intensify over the past year, including ransomware attacks that have resulted in major data breaches impacting health care organizations, the protection of health data has gained the focus of regulators and prompted bipartisan legislative efforts to strengthen cybersecurity requirements in the health care sector.
OIG Report on OCR’s HIPAA Audit Program
Under the Health Information Technology for Economic and Clinical Health Act (HITECH), the HHS Office for Civil Rights (OCR) is required to perform periodic audits of covered entities and business associates (collectively, Regulated Entities) to assess compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules (collectively, “HIPAA Rules”).
Last month, the HHS Office of Inspector General (OIG) released a new report assessing OCR’s HIPAA audit program, raising concerns about the effectiveness of current oversight and the need for enhanced measures to address growing cybersecurity risks in the sector. In its assessment of OCR’s HIPAA audit program, OIG reviewed OCR’s final HIPAA audit reports of Regulated Entities, guidance, and enforcement activities from January 2016 to December 2020.
Although OIG found that OCR fulfilled its obligations under HITECH to conduct periodic audits of Regulated Entities, the report also highlighted several critical issues. First, OCR’s HIPAA audits of Regulated Entities were found to be narrowly scoped, covering only a small fraction of the required protections under the HIPAA Rules. Of the 180 requirements in the HIPAA Rules, OCR’s audits assessed only eight requirements – two Security Rule administrative safeguards (Risk Analysis and Risk Management), three Privacy Rule provisions (Notice of Privacy Practices and Content Requirements, Provision of Notice, and Right of Access), three Breach Notification Rule provisions (Timeliness of Notification, Content of Notification, and Notification by a Business Associate), and zero physical or technical safeguard requirements under the Security Rule.
Second, OIG found that OCR’s HIPAA audit program did not effectively address compliance issues discovered during these narrowly scoped audits of Regulated Entities. For example, OIG highlighted the absence of corrective action requirements following audits that raised concerns about the program’s ability to drive improvements in cybersecurity protections following audits of Regulated Entities.
In response to these findings, OIG made several recommendations to OCR, including:
Expanding the scope of HIPAA audits to assess Regulated Entities’ compliance with physical and technical safeguards under the Security Rule;
Implementing standards and guidance to ensure deficiencies identified during HIPAA audits are corrected in a timely manner;
Establishing criteria for determining when issues discovered during audits should lead to the initiation of a compliance review; and
Defining metrics for monitoring the effectiveness of OCR’s HIPAA audit program in improving audited Regulated Entities’ protections of electronic PHI.
Recent Regulatory and Legislative Efforts to Address Health care Cybersecurity
OIG’s report is timely and comes amid broader regulatory and bipartisan legislative efforts to strengthen cybersecurity protections across the health care sector, including:
Proposed Regulatory Updates to the HIPAA Security Rule, issued by OCR on January 6, 2025. The proposed regulation is aimed at strengthening the existing requirements under HIPAA Security Standards for the Protection of Electronic Health Information (the “Proposed Rule”), including addressing deficiencies OCR states it has observed during investigations of Regulated Entities. Among other updates, the Proposed Rule eliminates the distinction between “required” and “addressable” specifications (a change OCR says reflects its current view that all specifications in the existing Security Rule are effectively required) and expands existing documentation requirements. The comment period for the Proposed Rule closes on March 7, 2025.
Health Infrastructure Security and Accountability Act of 2024 (5218) (HISAA), a bipartisan bill introduced by Senators Ron Wyden and Mark Warner. For information about this bill, visit our recent blog post summarizing HISAA’s key provisions.
Health Care Cybersecurity and Resiliency Act of 2024 (5390), a bipartisan bill introduced by Senators Bill Cassidy, Mark Warner, John Cornyn and Maggie Hassan. The legislation aims to modernize HIPAA to better address cybersecurity threats facing health care entities. Key provisions include the development of a cybersecurity incident response plan by HHS and the creation of training programs for health care workers in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA).
Healthcare Cybersecurity Improvement Act (R.10455), introduced by Representative Robin Kelly. If passed, the bill would require hospitals to establish basic cybersecurity standards as a Medicare Condition of Participation. It would also allocate $100 million in grants to small and medium-sized hospitals to enhance cybersecurity measures and create liability protection for larger health care systems that provide smaller health care organizations access to cybersecurity resources.
Takeaways
The OIG’s findings, along with regulatory and bipartisan legislative efforts, highlight that Covered Entities and Business Associates will face increased scrutiny of their cybersecurity practices. In particular, OCR’s HIPAA audit program may expand in scope in response to OIG’s report and in light of the Proposed Rule, with a greater focus on evaluating technical and physical safeguards under the Security Rule. In addition, new legislative measures, if passed, will impose more stringent cybersecurity requirements across the health care sector.
As organizations grapple with the potential increase in oversight and regulatory obligations, it is important to note, as we highlighted in our previous post, the HITECH safe harbor that requires the Secretary of HHS to consider a Regulated Entity’s adoption of “recognized cybersecurity practices” in making determinations related to fines, audits, and mitigation remedies. Now more than ever, it is essential for healthcare organizations to ensure they have established and implemented a recognized cybersecurity framework. Organizations that have not yet effectively assessed and documented their current practices, particularly with respect to technical and physical safeguards, should consider doing so.
FTC WENT TOO FAR: Seventh Circuit Court of Appeals Upholds Findings Against Lead Generators– But Finds FTC Went Too Far in Pursuing Dead Guy’s Estate
So a while back I wrote a blog about the extremely dire consequences of violating the TCPA and TSR.
As I reported, not only were a bunch of companies hit for millions in penalties but the individual company owners were also hit with the judgment. And when one of the owners died the FTC went after his estate and sued his daughter– which is just cold blooded AF:
DEATH IS NO ESCAPE: FTC Pursues Lead Generation Company Beyond The Grave as TSR Enforcement Push Smashes All Boundaries
Yeah…
So defendants all appealed. And for the most part they all lost. But the dead guy’s estate walked away clean so there is a lesson here– violate the TCPA/TSR and the only way out… suicide.
Here was the ruling by the Seventh Circuit Court of Appeals in FTC v. Day Pacer, 2025 WL 25217 (7th Cir. 2025):
We agree the defendants are liable and affirm the court on that front. For the companies, there is no genuine dispute of material fact that their practices are prohibited by the regulations, nor that they should have known their actions were deceptive. As for the individuals, all either knew or should have known of the companies’ illegal acts, and all had authority to prevent them.
Ouch. But the court goes on…
But we reverse and remand the decision to substitute an individual defendant’s estate upon his death and the damages award. The Commission’s suit here was a penal action, which never survives a party’s death.
Interesting, no?
Here is how the Court described the conduct of the “bad guys”:
Day Pacer LLC, and its predecessor EduTrek L.L.C., were companies that generated sales leads. Both purchased consumers’ contact information from websites, usually job-search platforms, where the consumers had entered their information. The companies would then personally call those consumers or contract with other organizations—termed “IBT Partners”—to call them, gauging the consumers’ interest in educational opportunities. If consumers expressed interest, the companies would sell their contact information to for-profit educational institutions.
Sound familiar? This is VERY common behavior for lead generators.
So what’s the issue?
Per the lower court: The court responded that consent given to vendors from whom the companies purchased the information was not sufficient; consumers must consent to each separate caller. Additionally, consumer consent after the call was placed was too late, as callers must have written consent before placing the call.
Hmmm. And what?
Well stay with me.
On appeal the Seventh Circuit found the lead generators were liable for penalties because they could not produce the actual underlying record of consent. They were able to provide urls to the FTC– but those URLs did not actually load webpages as many of them had bee taken down. The failure to provide actual records of consumer consent resulted in the judgment standing.
So it wasn’t that the lead forms were bad– its that the callers could not produce the forms when they needed them!!!
The appellate court also found that all three of the majority owners of the calling defendants had the ability to control their activities and were, therefore, PERSONALLY liable for the amount awarded.
Couple of pieces of good news for the defendants though:
Although the lower court had awarded over $28MM in penalties the appellate court found this amount was arrived at in error because the defendant’s ability to pay was not considered– that might mean a big reduction in the judgment on remand;
The Court found the FTC penalties were penal in nature and did NOT survive death. That means when one of the guys who owned the lead generation company died the FTC could not pursue his estate. So the court erred in letting the FTC pursue the dead guy’s daughter as administrator.
Obviously a massive ruling here.
Notice– these guys were not true scumbags. They thought they were calling with consent and there was no finding of any sort of fraud. Their “crime” was not being able to produce consent records– and now they are all out of business and being chased for millions of dollars.
If you are a lead generator or call center you MUST MUST MUST take possession of consent records. Do NOT just get a data push from somebody and think you’re safe! And the new one-to-one rule has massive implications here– don’t get killed!
We will keep an eye on this case on remand and report ASAP when something else breaks.
LOW-HANGING FRUIT: NCLC’s FCC Letter Misrepresents REACH
Hey, TCPAWorld!
By now you, our dedicated followers, are entirely familiar with R.E.A.C.H. (Responsible Enterprises Against Consumer Harassment) and its lofty goals in advocating for industry players seeking to engage with consumers in compliance with the TCPA. If you aren’t, check out it’s website. See REACH.
That being said, Margot Saunders of the National Consumer Law Center submitted an ex parte notice to the FCC (the “NCLC Letter”) on behalf of a slew of consumer organizations that grossly misrepresents, and entirely fails to address the merits of, REACH’s May 9, 2023 amended comment to the FCC (the “REACH Letter”). See NCLC Letter, Joint Consumer Commenters Ex Parte 1-14-25.pdf; REACH Letter, Amended Comment to FCC.05092023.pdf.
Indeed, the REACH Letter explained the “lead generation loophole”—a loophole through which lead generators may sell consumers’ data an indefinite number of times over an unlimited time period.
In response, REACH took the following position:
The underlying problem in the lead generation industry is not the transfer of consent in the first instance, but rather the endless and unlimited transfer of consent. The Commission should first regulate that activity rather than banning it as a first measure.
REACH Letter at 9. In essence, REACH argued that it was unnecessary to shut down the entire lead generation industry in response to a few bad actors.
Specifically, REACH recommended the adoption of its standards—which are “designed to assure that every call made to a consumer from a good or service provider is an anticipated and welcomed call” and one “to which the consumer has provided express written consent”—and requested that the Commission provide a safe harbor to companies that choose to comply. REACH Letter at 2.
Despite REACH’s clear position as an ally in the fight to protect consumers, the NCLC Letter extrapolates a portion of the REACH Letter explaining the problem of the lead generation loophole and presents it as representative of REACH’s position:
“R.E.A.C.H., which describes itself as an organization filing on behalf its ‘direct-to-consumer marketing, lead generation and performance marketing members,’ admitted in its comments that lead generators are responsible for a ‘meaningful percentage’ of entirely fabricated consent agreements. R.E.A.C.H.’s comments provide particularly telling information about how the lead generator industry works to facilitate telemarketing robocalls.”
NCLC Letter at 3 (quoting REACH Letter at 1-6) (emphasis added).
Instead of addressing the merits of REACH’s proposed solution, the NCLC Letter wields this letter as representing some admitted blameworthiness of lead generators in the industry. In reality, however, REACH members “are limiting themselves in ways others in the industry are not” and “risk losing market share to bad players” in service of consumer protection. REACH Letter at 4. “While it is easy to cast blame on the various players in the lead generation industry,” the NCLC Letter conveniently overlooks the fact that “actors in this space are not actually acting in an illegal manner”—a fact REACH repeats. REACH Letter at 9 (emphasis added).
In fact, REACH places the blame for this problem on poor regulation, emphasizing that lead generators’ “conduct has been enabled—one might say cynically encouraged—by an outright failure of regulators to recognize the root of the robocall problem and attempt to address it.” REACH Letter at 9 (emphasis added). This problem can therefore be solved via regulations that create new incentives for such companies—i.e., by adopting the REACH Standards and creating a safe harbor for compliant companies. It is this ultimate conclusion that the NCLC Letter fails to tackle.
Until next time.
GT Legal Food Talk Episode 26: Crossing Borders – Regulation of Food in the United States and Canada with Stikeman’s Sara Zborovski [Podcast]
In this episode of Legal Food Talk, host Justin Prochnow welcomes Sara Zborovski, one of his attorney counterparts from Canada with Stikeman Elliott to discuss the outlook on food regulation in 2025 for the United States and Canada.
Like a baseball or hockey game played between teams from Canada and the United States, they stand at attention while both national anthems play, discussing some of the potential political implications on food regulation in 2025, including a new administration in the United States and Justin Trudeau’s recent actions to prorogue Parliament in Canada.
They then discuss the wave of FDA guidance issues by the FDA at the end of 2024 and the start of 2025, including FDA’s revised definition of “healthy,” the removal of coconut as a food allergen, new action levels for lead in food intended for infants and children, and the proper naming of plant-based food alternatives.
This episode is a shining example of international cooperation and the best collaboration between the United States and Canada since Canadian bacon and pineapple!
New York Courts Provide Additional Guidance on Implementation of Green Amendment
Based on recent decisions, judicial interpretation of New York’s Environmental Rights Amendment (also called the Green Amendment) continues to evolve. The Green Amendment guarantees New Yorkers a “right to clean air and water, and a healthful environment.” N.Y. Const., Art. 1, Sec. 19. Because relatively few courts have interpreted the Green Amendment since it took effect in 2022, its full impact remains uncertain. However, recent decisions suggest that courts are willing to limit the types of legal claims that may be maintained under the Green Amendment.
Green Amendment Not Retroactive and Requires a Significant Contribution to Environmental Harm
Addressing the standard for maintaining a Green Amendment claim, an Erie County Supreme Court (located in the Appellate Division’s Fourth Department) recently held that the amendment did not provide a basis for enjoining a highway redevelopment project. W. N.Y. Youth Climate Council v. NYS Dep’t of Transp., 2024 WL 5050061 (Sup. Ct. Erie Cty. Nov. 15, 2024). The court found that the operation and maintenance of a highway, which had existed for almost 60 years, did not violate the Green Amendment because the amendment did not apply retroactively. Adopting the State of New York’s position that plaintiffs must show that the project would “significantly contribute” to unclean air or water or an unhealthful environment, the court also found that the allegations did not rise to this level.
Green Amendment Does Not Alter the Regulatory Framework
A decision in the Southern District of New York has taken a more restrictive view. Chan v. U.S. Dep’t of Transp., 2024 WL 5199945 (S.D.N.Y. Dec. 23, 2024). The court denied a request to enjoin congestion pricing in New York City because plaintiffs were unlikely to succeed on their Green Amendment claim. The court found that the amendment did not create a “self-executing substantive right” to environmental standards beyond those in existing regulations. Rather, the court explained that the Green Amendment guarantees only a baseline level of clean air and water and a healthful environment, and plaintiffs must show that this constitutional minimum is not being met to have a claim. The reasoning of the Chan decision, if broadly embraced, could severely limit the availability of a private right of action under the Green Amendment.
Green Amendment Cannot Compel Discretionary Agency Action
In a suit targeting government enforcement discretion, the Albany County Supreme Court (located in the Third Department) dismissed a Green Amendment claim brought against the State of New York and the New York Department of Environmental Conservation (NYSDEC). See People v. Norlite, LLC, No. 907-689-22, Doc. No. 369 (Sup. Ct. Albany Cty. Dec. 30, 2024). Plaintiffs alleged that NYSDEC violated the Green Amendment by issuing a permit for and allowing the operation of a manufacturing facility. Relying on the Fourth Department’s July 2024 decision in Fresh Air for the Eastside, Inc. v. State of New York, the trial court concluded that this claim, while styled as a request for declaratory relief, actually sought to compel agency action. Because the Green Amendment claim challenged NYSDEC’s statutory discretion, the court held that it did not have the authority to grant the relief sought and dismissed the claim.
***
While these decisions are not binding in other cases, they indicate that courts tend to interpret the reach of the Green Amendment narrowly and limit the types of claims they consider permissible under it. Regulated entities in New York should continue to monitor new litigation surrounding the Green Amendment and other decisions interpreting the reach of this state constitutional provision.
BIS Finalizes Rule Prohibiting Connected Vehicle Imports Linked to China and Russia: Key Compliance Requirements Announced
The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has promulgated a Final Rule prohibiting the import and sale of connected vehicles and related components linked to the People’s Republic of China (PRC) and Russia, citing critical national security concerns. These rules represent a pivotal shift in U.S. automotive supply chain regulations, emphasizing the need for vigilance and proactive compliance by stakeholders across the industry.
Expanded Compliance Obligations
Although the final rule does not mandate formal certification, suppliers are now required to scrutinize the origins of Vehicle Connectivity Systems (VCS) hardware and Automated Driving Systems (ADS) software to ensure compliance. Suppliers must exclude components with links to the PRC or Russia, with significant implications for sourcing practices and operational processes.
To address these challenges, many suppliers are exploring partnerships with third-party certification firms to assist in supply chain mapping and regulatory compliance. These firms provide specialized support to ensure alignment with U.S. regulations:
Regulatory Compliance Consultants
Offer tools, training, and industry-specific strategies for supply chain compliance.
Assist in establishing robust processes for meeting evolving regulatory requirements.
Cybersecurity and IT Compliance Firms
Evaluate and certify software and hardware for security vulnerabilities.
May expand their offerings to include BIS-specific compliance as the rule is fully enacted.
Automotive-Specific Compliance Firms
Focus on connected vehicle systems, offering cybersecurity testing and risk assessments tailored to the automotive industry.
Limited OEM Guidance
Original Equipment Manufacturers (OEMs) have provided limited direction on how they will interpret and implement the final rule. However, several have engaged in the rulemaking process through public comments and requests for compliance extensions. OEMs may eventually require declarations or certifications from their supply base, even in the absence of a formal BIS mandate. This highlights the importance of proactive supplier engagement and preparation to meet potential OEM requirements.
Implications for Automotive Suppliers
The final rule is poised to profoundly impact automotive suppliers, particularly those sourcing components from the PRC or Russia. As we previously advised, key considerations include:
Supply Chain Transparency: Suppliers must conduct thorough due diligence to identify components with links to the PRC or Russia. This requires comprehensive mapping of supply chains and ensuring traceability down to sub-suppliers.
Increased Costs: Transitioning to alternative suppliers or technologies may drive up costs and disrupt existing contracts.
Collaboration Challenges: Suppliers must work closely with OEMs and industry organizations to navigate evolving requirements.
Recommendations for Compliance
To mitigate risks and align with the new regulations, automotive stakeholders should take the following steps:
Conduct a Supply Chain Assessment
Map the origins of all hardware and software used in connected vehicles.
Identify and mitigate risks associated with PRC- or Russia-linked components.
Engage Third-Party Certification Firms
Partner with firms specializing in supply chain mapping, cybersecurity evaluations, and compliance certifications to streamline processes and ensure regulatory alignment.
Collaborate with Industry Groups
Engage with organizations like the Alliance for Automotive Innovation and Motor & Equipment Manufacturers Association (MEMA) to share insights and develop collective strategies for compliance.
Prepare for OEM Requirements
Anticipate the possibility of OEM-mandated certifications and declarations, and begin preparing the necessary documentation and processes to meet these demands.
While the regulatory landscape remains dynamic, proactive planning, thorough due diligence, and strategic collaboration will be critical for suppliers and manufacturers to adapt to the BIS’s final rule. By aligning their practices now, companies can minimize disruptions and position themselves for long-term compliance and competitiveness in a rapidly evolving market.
Elizabeth Morales-Saucedo contributed to this article
HHS-OCR’s Proposed Rule and HIPAA Security Risk Assessment
On December 27, 2024, in the midst of the holiday season, the U.S. Department of Health and Human Services (HHS) deployed a proposed rule that would significantly modify the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Specifically, the proposed new rule includes express requirements for Covered Entities when conducting a Security Risk Assessment (SRA).
New requirements would include a written assessment that contains, among other things:
A review of the technology asset inventory and network map
Identification of all reasonably anticipated threats to the confidentiality, integrity, and availability of ePHI
Identification of potential vulnerabilities and predisposing conditions to the regulated entity’s relevant electronic information systems
An assessment of the risk level for each identified threat and vulnerability, based on the likelihood that each identified threat will exploit the identified vulnerabilities.
Notably, while the “new” requirements have yet to be finalized or take effect, HHS’s Office of Civil Rights (HHS-OCR) has already begun to enforce these requirements on Covered Entities including the imposition of fines and penalties against Covered Entities whose failure to implement the proposed requirements result in a data breach affecting its patients’ protected health information (PHI).
For some time, HHS-OCR has acknowledged that the HIPAA Security Rule does not prescribe a specific risk analysis methodology, and it has recognized that methods of conducting a SRA will vary depending on the size, complexity, and capabilities of the organization. Further, HHS-OCR Guidance on Risk Analysis does not endorse or recommend any particular risk analysis or risk management model. While HHS-OCR provides a free proprietary tool for small to medium-size organizations to use when conducting a SRA, its product contains a disclaimer that use of the tool does not guarantee compliance with federal, state, or local laws.
Covered entities are therefore left to their own devices in discerning what methodologies and management models are appropriate for their organization when conducting a SRA. At the same time, the adopted methodology that an organization chooses may not be considered insufficient under HHS-OCR’s undisclosed standards. A Covered Entity with no SRA or an insufficient SRA may face significant fines and penalties in the event they are subject to a data breach and subsequent HIPAA compliance audit.
While Covered Entities may turn to third-party vendors that market themselves as specialists in providing HIPAA compliance services, including conducting SRAs, there is no guarantee this will satisfy the requirements under HIPAA. Recently, HHS-OCR has regarded SRAs performed by these vendors as deficient without providing any specific guidance to the Covered Entity as to exactly what aspects of their SRA were noncompliant with HIPAA.
This conundrum has recently dismayed a number of Covered Entities that are now facing fines and penalties in light of HHS-OCR’s recent HIPAA Security Risk Assessment enforcement initiative, which it has relentlessly pursued since October of 2024. It’s not yet clear whether the proposed requirements will make compliance with HIPAA’s Security Rule easier or create further confusion.