10th CIRCUIT EXPANDS TCPA EMERGENCY PURPOSES EXCEPTION: Calls Made to Inform Residents of Virtual Town Halls During Covid-19 Are Covered

For many of us, Covid-19 feels like a distant memory. But with the TCPA’s four-year statute of limitations, what’s in the past is rarely forgotten. The 10th Circuit Court of Appeals, in particular, has not forgotten the challenges of maintaining normalcy amidst social distancing measures and the raging pandemic.
In a recent decision, the 10th Circuit affirmed the New Mexico District Court’s dismissal of a TCPA case, holding that calls made by the City of Albuquerque to inform residents about virtual town-halls during the Covid-19 pandemic are covered by the TCPA’s emergency purposes exception. This decision notably expands scope of the emergency purposes exception – previously limited to calls conveying urgent health and safety information – to cover broader mitigation measures tied to public health emergencies.
Plaintiff Gerald Silver brought a putative class action against the City of Albuquerque, alleging that the city violated the TCPA by making pre-recorded phone calls inviting its residents to attend virtual town hall meetings during the COVID-19 pandemic. The calls were made to residents designated by the (505) area code. Silver’s complaint alleges that he received “at least seven prerecorded voice calls from the city on his cell phone” about the town halls.
Both parties agreed there was no commercial purpose to the calls, and that, during the period in which the calls were made, the federal government, the State of New Mexico, and the City of Albuquerque had all declared a state of public health emergency relating to Covid-19.
The city moved to dismiss Silver’s claim on two grounds: First, the city argued it was not subject to the TCPA because it was not a qualifying “person” under the statute; and second, the city contended that, even if it was subject to the TCPA, the calls fell under the TCPA’s exception for calls made for emergency purposes.
While the Court skirted around the issue of whether the TCPA applies to local governments, it held that Silver’s complaint did not show a violation of the TCPA. Although the TCPA generally prohibits the use of robocalls, it excepts from coverage “calls made necessary in any situation affecting the health and safety of consumers.” 47 C.F.R. § 64.1200(f)(4). The Court of Appeals undertook a two-step inquiry to determine whether the City’s calls were covered by the emergency purposes exception, looking at their (1) context and (2) content. Because the caller was a local government official, the “context” prong of the inquiry was satisfied. The “content” prong was also satisfied, because each call was informational. And because the City made the calls to inform citizens that town hall meetings would be held virtually—a mitigation measure “made necessary” by the social-distancing requirements of the pandemic—the Court of Appeals held that calls fall squarely within the exception.
“Because a virtual town hall meeting is itself a mitigation measure, any communications regarding those town hall meetings satisfy the content prong of the emergency purposes exception.”

The Court of Appeals also rejected Silver’s argument that because he had not expressed a desire to attend the town hall meetings, the phone calls were not relevant to him. The Court held that emergency purposes exception does not require that calls be tailored to an individual’s preferences, but rather, to an emergency that is relevant to the called party. Here, the emergency was the pandemic which, along with any associated mitigation measures, was relevant to all City residents.
Silver next argued that there were less intrusive means for the city to inform residents about the town halls, or, in the alternative, that the City’s calls could not have related to the pandemic because they did not explicitly mention Covid-19. Both these arguments failed to persuade the Court, because (1) the TCPA does not require calls to use specific words to invoke the emergency purposes exception, and (2) a caller is not required to use the least intrusive means available.
You can read the Court of Appeals’ Order here: Gerald Silver v. City of Albuquerque

Threat Actors Use AI to Launch Identity Theft Scams

Identity theft will continue to rise in 2025. According to the Better Business Bureau of Missouri (BBB), it received over 16,000 identity theft complaints in the past three years. Scammers are “increasingly using advanced tactics such as artificial intelligence to exploit victims.”
The BBB notes that threat actors are taking over social media accounts to solicit money and “impersonating individuals to rent apartments or open credit cards.”
According to Which?, fraud prevention service Cifas reports the continuing rise of identity theft and fraud, and artificial intelligence (AI) is “fuelling [the] identity fraud increase.” Cases of account takeover “drastically increased by 76% in 2024.” Over half of these cases involved threat actors hijacking mobile telephone accounts, and SIM swap fraud increased by a whopping 1,055%. Threat actors use AI more frequently in cases of false applications, where it assists “with the speed, sophistication and scale of false documentation, as well as aiding the ability to pass verification checks.”
Identity theft will continue to rise, so preventative measures, such as those outlined by the BBB, Identitytheft.org, and the FTC, will hopefully prevent victimization. If you become a victim, the FTC has free helpful resources to consider.

Re: Watch What You Say Here

The Commercial Electronic Mail Act (CEMA) is a Washington State law that prohibits sending state residents a commercial email misrepresenting the sender’s identity. A commercial email promotes real property, goods, or services for sale or lease. A recent Washington Supreme Court opinion held that this prohibition includes the use of any false or misleading information in the subject line of a commercial email and is not limited to false or misleading information about the commercial nature of the message. Brown v. Old Navy, LLC, No. 102592-1 (Wash. 4/17/25).
The case arose when the plaintiffs sued Old Navy after allegedly receiving emails with false or misleading subject lines about the retailer’s promotions . The plaintiffs categorized four types of false and misleading emails from Old Navy:

Emails that announced offers available longer than stated in the subject line;
Emails that suggested an old offer was new;
Emails that suggested the end of an offer; and
Emails that stated a promotion extension.

For example, plaintiffs claimed that they received emails with subject lines including phrases like “today only” or “three days only” when sales or promotions lasted longer. The plaintiffs also pointed to emails from Old Navy about a 50% off promotion that would supposedly end that day, but continued in the following days. Plaintiffs argued that such emails violate CEMA because of false or misleading subject lines.
The applicable CEMA provision prohibits entities from sending commercial emails that “contain false or misleading information in the subject line.” RCW 19.190.020(1)(b). While plaintiffs argued that the provision refers to any information, Old Navy asserted that the prohibition is directed at statements in the subject line that mislead the recipient as to what the email is about. The Washington Supreme Court noted that the plain meaning of Subsection 1(b), and CEMA’s general truthfulness requirements, indicate that the statute applies to any information contained in an email subject line.
Old Navy also claimed that the plaintiffs’ interpretation of the subsection would punish Old Navy for “banal hyperbole.” According to the retailer, such puffery was not intended to be in CEMA’s scope. The court noted that though this issue was not within the scope of the narrow question in the case, typical puffery, including statements such as “Best Deal of the Year,” is not misrepresentation or false because “market conditions change such that a better sale is later available.” According to the court, mere puffery differs from representations of fact, such as “the duration or availability of a promotion, its terms and nature, the cost of goods, and other facts” that are important to Washington consumers when making decisions.
Though five justices signed the majority opinion, four others dissented. The dissent notes the antispam legislative intent and history behind CEMA, holding that the legislature was concerned about the “volume of commercial electronic mail being sent,” suggesting the narrower interpretation of Subsection 1(b) that Old Navy proposed. The dissent opinion points to the preceding provision of CEMA, which precludes transmitting an email that “[u]ses a third party’s internet domain name without permission of the third party, or otherwise misrepresents or obscures any information in identifying the point of origin or the transmission path of a commercial electronic mail message.” RCW 19.190.020(1)(a). According to the dissent, Subsection (1)(b) should “be read in harmony” with Subsection 1(a) and should be interpreted to address the prevention of sending emails that hide the email’s origin and promotional purpose. In support of its position, the dissent includes the example of the Washington Attorney General’s Office website, which directs consumers to “[c]arefully examine the body of the email message as it relates to the email’s subject line” and see if “it accurately describe[s] what is contained in the email” to determine whether the subject line would violate CEMA.
Companies can expect increased CEMA litigation due to this case. Those engaging in email marketing should be mindful of their subject line language. Statements about the nature of specific offers could be subject to increased scrutiny in Washington state. When choosing between general puffery and a more targeted subject about a specific offer, businesses may want to err on the more conservative side of the line (pun intended).

FTC Settles With accessiBe For Misleading Statements About WCAG Compliance

The Federal Trade Commission (FTC) announced on April 22, 2025, that it has approved a settlement entered into a Final Order with accessiBe, which claimed its plug-in product, accessWidget, “can make any website compliant with Web Content Accessibility Guidelines (WCAG).” The settlement includes the payment of $1 million and requires accessiBe to refrain from “making misleading claims.” The Commission unanimously approved the Final Order 3-0.
The FTC had filed a complaint against accessiBe Ltd alleging that “despite the company’s claims, accessWidget did not make all user websites WCAG-compliant and these claims were false, misleading, or unsubstantiated.” The complaint further alleged that it “deceptively formatted third-party articles and reviews to appear as if they were independent opinions.”
The settlement reinforces the FTC’s continued focus on misleading claims, and companies should check the accuracy of representations made on websites.

FTC Finalizes Updates to Children’s Privacy Rule…Again

After a period of regulatory review under Chairman Andrew Ferguson, on Tuesday, April 22, 2025, the U.S. Federal Trade Commission (FTC) published amendments to the Children’s Online Privacy Protection Act (COPPA) Rule (COPPA Rule or the Rule), which was last updated in 2013. As we reported earlier this year, the FTC finalized its most recent updates to the COPPA Rule on January 16, 2025. However, that version of the amended Rule was not published before President Trump took office on January 20, 2025, and ordered a freeze on “publishing any rule to the Office of the Federal Register until a new agency head appointed or designated by the President reviews and approves the rule.” Accordingly, the FTC, now under Chairman Ferguson, once again reviewed and approved amendments to the COPPA Rule with minor changes to the version approved during the Biden administration. The amended Rule will go into effect on June 23, 2025, although most of the substantive requirements are effective April 22, 2026.
The amended Rule published on April 22, 2025, remains substantively the same as the January 16, 2025, pre-publication version. The key revisions to the Rule we previously highlighted are unchanged. They include new parental notification requirements related to data shared with third-party vendors, a new definition for “mixed audience,” the addition of biometric and government identifiers to the list of “personal information,” more robust “reasonable security” provisions, and a requirement that operators adopt and provide notice of a data retention policy. Additionally, the published Rule retains new requirements for COPPA Safe Harbor programs.
In a concurring opinion supporting the January 16 version of the amended Rule, Chairman (then Commissioner) Ferguson identified a few areas where he felt clarification in the amended Rule language would be helpful, but those changes were not implemented. Issues he identified include:

The meaning of a “material” change requiring new parental consent remains undefined. Both the 2013 version of the Rule and the amended version require that operators obtain fresh parental consent for all “material” changes to privacy terms; however, “material” remains an undefined term in the amended Rule. This may raise several different compliance obstacles, but Ferguson took specific issue with the fact that the amended Rule also requires operators to disclose to parents the identities of third-party recipients of children’s data when obtaining parental consent. With no elaboration on what is meant by “material,” he speculated that all additions or changes to the identities of third-party vendors could require an operator to request new parental consent. This mandate would increase the costs of switching third-party vendors and thus discourage the use of upstart competitors, undermining business competition.
The meaning of “retained indefinitely” remains undefined. The 2013 version of the Rule made clear that children’s data should be retained only for “as long as is reasonably necessary to fulfill the purpose for which the information was collected.” The amended Rule retains this language with minor modifications but also specifies that “[p]ersonal information collected online from a child may not be retained indefinitely.” However, no time period is set for retention. In Ferguson’s concurring opinion, he stated that “it is unclear how the requirement is any different than the existing requirement to keep the information no longer than necessary to fulfill the purpose for which it was collected.”
Collection of personal information for age verification continues to require parental consent. In his concurring opinion, Ferguson asserted that operators of mixed-audience websites or online services “wanting to use more accurate age verification techniques than self-declaration” would need information “such as photographs or copies of government-issued IDs.” Ferguson argued that the amended Rule contains “many exceptions to the general prohibition on the unconsented collection of children’s data, and these amendments should have added an exception for the collection of children’s personal information for the sole purpose of age verification, along with a requirement that such information be promptly deleted once that purpose is fulfilled.”

As of this writing, neither the Chairman nor the other sitting commissioners issued additional statements on the publication of the amended Rule. However, there are aspects of the Federal Register preamble and the Rule itself that appear to address the Chairman’s prior concerns. For example, the “material” change notification requirement is discussed in a footnote to the preamble to the Federal Register notice (and was also present in the January 16 pre-publication version), where the FTC explains that “the Commission is not likely to consider the addition of a new third-party to the already-disclosed category of third-party recipients to be a material change that requires new consent.” The amended Rule’s requirement for a written data retention policy requires reference to a time period, which appears to address Ferguson’s earlier concerns that the amended Rule does not adopt a specific temporal limit on data retention as long as data is not retained indefinitely. In addition, it appears that the Commission considered the option of allowing personal information, including photographs and biometric identifiers, to be used for age verification, but ultimately determined that the potential benefits of using this type of information for age verification were outweighed by the risks of this data being misused.
Given that this most recent round of amendments was initiated in 2019, it seems unlikely that any further amendments will be made in the near term absent further Congressional action to amend COPPA itself. However, children’s privacy continues to be an area of focus for the FTC, which will hold a workshop entitled “The Attention Economy: How Big Tech Firms Exploit Children and Hurt Families” at 9:00 a.m. ET on June 4, 2025. This workshop will cover a variety of topics, including strategies to protect children online, such as through age verification and parental consent requirements. Members of the public can register to attend in-person, and a link to the livestream will be posted to FTC.gov the morning of the event.

Privacy Tip #441 – Identity Theft Statistics Increasing in 2025

Unfortunately, identity theft continues to increase, and according to Identitytheft.org, the statistics are going to get worse in 2025. Some of the statistics cited by Identitytheft.org include:

1.4 million complaints of identity theft were received by the Federal Trade Commission
Total fraud and identity theft cases have nearly tripled over the last decade
Cybercrime losses totaled $10.2 billion
The median loss to fraud victims is $500
There is an identity theft case every 22 seconds
33% of Americans faced some form of identity theft at some point in their lives
Consumers aged 30-39 were the most victimized by identity theft
Georgia ranked #1 for identity theft and fraud cases

Identitytheft.org concludes:
“Identity theft has been a growing problem in the U.S. for the past few years. It is difficult for victims to deal with these issues because theft methods are becoming even more sophisticated with time. Citizens must safeguard their personal information by utilizing technology such as antivirus protection software, password managers, identity theft protection, and VPNs if they want to avoid identity theft scenarios in 2025.”
These are helpful tips to consider.

Clocked In: FCC Seeks Clarity on Call Time Rules

In our previous alert, Tick-Tock, Don’t Get Caught: Navigating TCPA’s Quiet Hours, we discussed a growing wave of lawsuits targeting businesses under the Telephone Consumer Protection Act (“TCPA”) for allegedly sending text messages outside the Federal Communications Commission’s (“FCC”) designated 8:00 AM to 9:00 PM window. These suits often involve texts sent just minutes before or after the hour. Worse yet, these suits frequently target businesses whose customers had voluntarily opted into Short Message Service (“SMS”) programs. As we explained, under the plain language of the TCPA and the FCC’s rules, such messages should not be considered “telephone solicitations” at all, because the recipients gave prior express consent. As a result, they should not also be subject to the quiet hours rule.
Subsequently, the FCC took an important step that could clarify this issue. Recently, the FCC released a Public Notice seeking comment on whether the TCPA’s quiet hours apply to text messages sent with the recipient’s prior express consent. The Public Notice has drawn strong responses from both sides of the debate, including plaintiff’s attorneys, consumer advocacy groups, industry associations, and privacy-focused nonprofits. This development suggests that regulatory guidance could be forthcoming—but until then, litigation risk remains.
The FCC’s Public Notice
In its Public Notice, the FCC asked for input on whether its rules prohibit businesses from sending text messages for telemarketing purposes outside the 8:00 AM to 9:00 PM window, even if the message was sent with the consumer’s prior express consent. The FCC also invited comment on related issues in the alternative, including whether there is a non-rebuttable assumption that the NPA-NXX (i.e., the area code and local exchange of the called party) is indicative of the called party’s location when applied to wireless phone numbers.
Comments on the Petition
Several industry stakeholders filed comments supporting the petition. These commenters emphasize the plain language of the TCPA and the FCC’s own rules, which state a “telephone solicitation” does not include calls or messages made with the recipient’s prior express invitation or permission. Because the quiet hours restrictions apply only to “telephone solicitations,” the argument goes, messages sent with prior consent should be exempt by definition.
Supporters argue that requiring businesses to track the local time zone of each customer creates an unreasonable compliance hurdle, especially given the mobile nature of modern communications. Responsible Enterprises Against Consumer Harassment (“R.E.A.C.H.”) included data showing a month-over-month increase in the number of cases filed and warned that without FCC intervention, a growing number of class actions will exploit the ambiguity around this issue.
However, several organizations and law firms that regularly advocate for consumer protections filed comments opposing the petition. These commenters generally argue that the quiet hours rule applies to all marketing messages, regardless of consent, and that carving out an exception would undermine consumer privacy. For example, the Law Offices of Jibrael S. Hindi—a firm that has filed many of the recent lawsuits under this theory—opposed the petition. The firm claimed consumers may not expect to receive messages during early morning or late evening hours, even if they opted into a marketing program, and suggested consent should not extend to contact during quiet hours unless explicitly disclosed and agreed to. The National Consumer Law Center (“NCLC”) likewise encouraged the FCC to allow the issue to play out in the courts and argued against creating a presumption about quiet times based on the called party’s area code and local exchange.
What Comes Next
Now that the comment period has closed, the FCC will review the submissions and decide whether to issue a declaratory ruling. There is no set timeline for the Commission to act, and it may take several months (or longer) before any formal decision is issued. In the meantime, plaintiffs’ attorneys may continue filing lawsuits under the current ambiguity.
What Businesses Should Do in the Meantime
Until the FCC provides definitive guidance, businesses that engage in SMS marketing should consider the following steps to reduce legal exposure:

Respect the Quiet Hours: Even if you have a strong argument your messages are exempt, the safest course is to avoid sending marketing texts before 8:00 AM or after 9:00 PM in any time zone in the United States.
Audit Your Consent Process: Ensure your SMS terms clearly disclose the nature and timing of messages. Consider adding language that explains messages may be sent at any time, including early morning or evening hours.
Implement Time-Zone Safeguards: Use geolocation tools or other technology to manage time-zone targeting. Even if not legally required, this step can show a good-faith effort to comply.
Document Everything: Maintain records showing when and how a consumer provided consent, what disclosures were made, and when messages were sent.
Monitor FCC Activity: Stay informed on the status of the petition and any related FCC guidance. An eventual ruling could impact how these lawsuits are litigated and defended. Businesses in litigation may wish to consider filing motions to stay pending the outcome of the FCC petition.

Conclusion
The FCC’s request for comment is a welcome sign that regulatory clarification may be on the horizon. However, until that clarification arrives, businesses must continue to navigate the uncertain legal terrain. Stakeholders remain hopeful that the FCC will confirm what the statute and regulations already suggest: that messages sent with prior express consent are not “telephone solicitations” and are, therefore, not subject to the quiet hours rule. In the meantime, businesses should remain vigilant, stay within the safe harbor when possible, and consult legal counsel when designing or updating their marketing programs.

FDA Releases Results from Bottled Water PFAS Testing

FDA recently shared the final results from the testing of domestic and imported bottled water collected at retail locations across the U.S. for per- and polyfluoroalkyl substances (PFAS). Of the 197 samples of purified, artesian, spring, and mineral waters tested, ten samples had detectable levels of PFAS. However, none of those had levels that would have exceeded the EPA’s maximum contaminant levels (MCLs) for PFAS in public drinking water.
PFAS are a diverse group of widely used, long lasting chemicals that do not easily break down and can accumulate in the environment and human tissues with negative health consequences. PFAS have been the subject of various testing efforts, lawsuits, and legislation.
In the bottled water study, FDA tested for 18 types of PFAS, including the six types with EPA-established MCLs. The ten samples with detectable PFAS levels contained a range of one to four different PFAS in domestic samples and one to two different PFAS in imported samples. Of these, four PFAS were below EPA MCLs for drinking water, and two PFAS detected do not have established MCLs.
The Food, Drug, and Cosmetic Act requires FDA to establish a standard of quality regulation for contaminants in bottled water whenever the EPA establishes MCLs for public drinking water as part of a National Primary Drinking Water Regulation. If FDA does not establish a standard for the contaminants or finds that such standards are not necessary to protect public health, then the EPA levels are considered the applicable regulation for bottled water. FDA can then take action against bottled water that presents a safety concern even if there is no standard of quality for a contaminant.

EU Data Act Preparedness – Last Minute Fire Drill Exercise!

In less than six months, on 12 September 2025, most provisions of EU Regulation no. 2023/2854 (the EU Data Act) will go into effect. In light of the challenging compliance efforts, from legal and contractual points of view as well as from operational and product development perspectives, affected companies should act soon to avoid liability and administrative fines and to update their contractual frameworks. 
The below checklist provides initial level guidance to assist in companies in assessming their risk exposure and identifying mitigation steps.
While the EU Data Act covers many different data-related topics, topics that are most relevant for private companies are obligations regarding collection and use of Internet of Things (IoT) data (Section 1) and switching between cloud storage/service providers (Section 2).
For IoT Companies
Does Your Company Manufacture Connected Products (Connected Products)?
Definition: Connected Products are all categories of equipment collecting data about their use or vicinity and are able to transfer this data via internet connection, also commonly referred to as “smart devices” or “IoT devices,” such as cars, televisions, refrigerators, cleaning or lawn mowing robots, kitchen tools, etc. (Source: Art. 2(5) EU Data Act)
Does Your Company Offer Related Services (Related Services) in Connection With Connected Products?
Definition: Related Services include any digital service (usually provided via an app) essential for the intended use of a Connected Product or adding additional functionalities to a Connected Product. (Source: Art. 2(6) EU Data Act)
Who Are Your Users?
Definition: If your Connected Products or Related Services are offered to customers in the European Union, the EU Data Act will apply to such product or service, regardless of whether your customers are consumers (B2C) or commercial (B2B) customers. (Source: Art. 1.3 EU Data Act)
Does Your Connected Product or Related Service Allow Users to Access Collected Product Data (Product Data)?
Definition: Product Data is all information collected by a Connected Product or Related Service in connection with using such product or service or its environment, regardless of whether such data is considered “personal data” under GDPR or not.
Action: Users have a right to have access to Product Data in real time, either directly in the IoT device or related app, or at least separately in a machine-readable format. Technical measures for enabling this access need to be implemented.
Action: Users must be provided with core information when purchasing a Connected Product or Related Service, e.g., regarding the types and amount of usage data collected, for what purposes the data will be used, where and how long the data is stored, and how the data can be accessed and stored. Information documents need to be prepared.
Action: Users may also request to grant third parties access to their Product Data. It is recommended to assess upfront under which, if any, conditions such disclosure may be rejected and on which grounds.
Does Your Company Use the Product Data for Its Own Purposes?
Action: Any use of this data for own purposes (e.g., analytics or business intelligence or advertisement) is only permitted under permission from the user of the Connected Product or Related Service to be given in a contract, including detailed provisions on the use and protective mechanisms. These contracts must follow a strict agenda and must contain certain mandatory terms. Existing customer agreements and new customer agreements will need to be updated accordingly before either 12 September 2025 (new contracts) or 12 September 2027 (for contracts executed prior to 12 September 2025 and (i) of indefinite duration or (ii) due to expire after 11 January 2034.)
Does Your Company Share Any of the Product Data With Third Parties?
Action: Product Data may be shared by your company with third parties only on the basis of a contract between the third party and the user in addition to the contractual relationship of your company with the user.. These contracts must follow a strict agenda and must contain certain mandatory terms. Agreements need to be put in place with users and third parties receiving usage data.
Does Your Company Currently Have Contracts in Place With Customers or Third Parties Entitling or Requiring Your Company to Access or Share Product Data?
Action: Existing agreements need to be reviewed for clauses regarding access to Product Data and, if such clauses exist, need to be updated to meet the above data sharing requirements.
For Cloud Storage/Service Providers:
Does Your Company Offer Cloud Services?
Definition: These are usually services enabling customers to upload their data to cloud servers; not only cloud infrastructure providers are covered, but each provider offering services around data hosting is covered, even if the cloud infrastructure is owned by another service provider.
Who Are Your Customers?
Definition: If your Connected Products or Related Services are offered to customers in the European Union, the EU Data Act will apply to your product or service, regardless of whether your customers are consumers (B2C) or commercial (B2B) customers.
Does Your Company Enable Customers To Migrate to Another Service Provider or Replace the Service With an On-Premises Solution?
Action: The EU Data Act obliges cloud service providers to remove obstacles that could deter customers from switching to another provider or an on-premises solution, regardless of the nature of the obstacle and including in particular contractual and technical obstacles. Service providers must assess if their service setup may raise such obstacles and, if necessary, remove these.
Action: Customer contracts must provide wording regarding the procedures, rights, and obligations of the parties for switching to another service provider, including termination and migration rights.
Action: Customer data must be maintained in a file format that can easily be transferred.
Does Your Company Charge Fees for Migrating Customer Data to Another Service Provider or an On-Premises Solution?
Action: From 12 January 2027 onward, cloud service providers must not charge any fees if the customer decides to migrate to another service provider or an on-premises solution. Until then, fees may not exceed the internal costs of the service provider arising in direct context with the migration.

FDA Announces Phase-Out of What it Referred to as “Petroleum-Based Synthetic Food Dyes”

Yesterday, FDA and HHS announced a series of actions intended to phase out the use of petroleum-based synthetic food dyes. The news release can be found here and a video of the press conference here. Specifically, the agency announced that it would:

Establish a national standard and timeline to transition from petroleum-based dyes to natural alternatives.
Initiate the process to revoke authorizations for Citrus Red No. 2 (21 CFR 74.302) and Orange B (21 CFR 74.250).
Work with the industry to eliminate the remaining six synthetic dyes – Green No. 3, Red No. 40, Yellow No. 5, Yellow No. 6, Blue No. 1, and Blue No. 2 – from the food supply by the end of the year.
Authorize four new natural color additives – calcium phosphate, Galdieria extract blue, gardenia blue, and buttery fly pea flower extract (expanded uses) –in the coming weeks and accelerate the review and approval of others.
Partner with the National Institutes of Health (NIH) to conduct comprehensive research on how food additives impact children’s health and development.
Request that companies remove Red No. 3 sooner than the previously required 2027-2028 deadline.

Speakers at the press conference included HHS Secretary Robert F. Kennedy Jr. and FDA Commissioner Marty Makary. Sweeping claims about the harms of the dyes, in particular to children, were made. Although the health effects of many of the dyes have been brought into question, there is little scientific consensus on the subject. See e.g., CA Department of Public Health Rejection of Synthetic Dye Warnings. FDA has not released any document providing an explanation for the agency’s change in position or providing a risk assessment to support its position. The speakers also discussed variations of state additive bans and the market harms of patchwork state regulation.
Neither the press release nor the news conference referenced any formal process to revoke the authorizations for the synthetic food dyes that are not Citrus Red No. 2 and Orange B, and FDA will likely rely on voluntary phase out by industry and state additive bans to implement its plans.

Prop 65: Changes to Short-Form Warnings Will Cause Long-Term Impacts

The California Office of Environmental Health Hazard Assessment (OEHHA) recently amended its regulations concerning requirements for consumer product warnings to qualify for “safe harbor” protection from enforcement actions brought under the Safe Drinking Water and Toxic Enforcement Act of 1986, commonly known as Proposition 65 (“Prop 65”).
Prop 65 is a “right to know” law — it requires businesses to provide a “clear and reasonable warning” before knowingly and intentionally exposing consumers in California to a chemical listed as known to the state of California to cause cancer or reproductive harm. OEHHA, the lead agency implementing compliance regulations for Prop 65, has adopted certain regulations detailing specific language and methods for warnings that businesses can use to comply with Prop 65 — i.e., “safe harbor warnings.” See Cal. Code Regs., tit. 27, § 25600, et seq.
On December 6, 2024, OEHHA issued a notice stating that the California Office of Administrative Law (OAL) approved changes to the Prop 65 regulations for “short-form” warnings that OEHHA proposed on October 27, 2023, among other changes.
The effective date of the new regulations is January 1, 2025, but there is a three-year implementation period for businesses to transition to the new warning language (by January 1, 2028). As discussed further below, this final regulation largely follows OEHHA’s October 27, 2023, proposal.
New Required Content for Short-Form Warnings: Short-form warnings are not so short anymore[1]. The new regulations now require that short-form warnings identify at least one chemical for each applicable endpoint (i.e., cancer or reproductive harm) and additional language, of which businesses have the choice of two phrases. Cal. Code Regs., tit. 27, § 25603(b). As further illustrated below, these changes are bound to have a substantial impact on businesses.
For example, short-form warnings for carcinogens only must now include one of the following phrases:
“Cancer risk from exposure to [name of chemical]. See www.P65Warnings.ca.gov.”

or

“Can expose you to [name of chemical], a carcinogen. See www.P65Warnings.ca.gov.”

See Cal. Code Regs., tit. 27, § 25603(b)(3)(A).
As another example, short-form warnings for both listed carcinogens and reproductive toxicants must include either of the two following phrases:
“Risk of cancer from exposure to [name of chemical] and reproductive harm from exposure to [name of chemical]. See www.P65Warnings.ca.gov.”

or

“Can expose you to [name of chemical], a carcinogen, and [name of chemical], a reproductive toxicant. See www.P65Warnings.ca.gov.”

See id. at § 25603(b)(3)(C).
According to OEHHA’s comments in its Final Statement of Reasons (“FSOR”) for the new regulations, these changes were made to provide consumers with more information about the warning being given, consistent with the long-form warning. FSOR, at 20. However, the changes will likely require businesses using the old short-form warnings on product labels, which are much shorter, to substantially redesign their labels to accommodate this new language.
Identification of Specific Chemicals: Perhaps the most controversial change is that the new regulations now require short-form warnings to name at least one chemical that is listed for cancer or reproductive harm. Cal. Code Regs., tit. 27, § 25603; see also id., at § 25601 (b). Previously, only long-form warnings had to identify a specific chemical. In the FSOR, OEHHA states that it believes listing at least one chemical in short-form warnings is necessary to provide “consumers sufficient information to make informed decisions about their exposures to listed chemicals” and to discourage the widespread business practice of providing short-form warnings “prophylactically, as a litigation avoidance strategy.” FSOR, at 20. OEHHA also commented in its FSOR:
Under existing law, companies currently may provide a warning with no chemical name for a product that does not cause any significant exposure to a listed chemical, because they would rather apply a generic warning to everything rather than determine which of their products actually create such an exposure and which do not. This litigation-avoidance strategy does not serve the interests of the Act because it does not provide accurate information. By including a chemical, companies will be encouraged to actually determine which chemicals—if any—could expose consumers of their products.

Id., at 30-31.
This significant change may require businesses to reconsider their testing protocols and use of short-form warnings if they are unable to identify a specific carcinogen and/or reproductive toxicant. Regardless of how businesses work to comply with the new regulations, their risk of costly enforcement actions is now undoubtedly higher.
New Options for Warning Labels: Companies are no longer limited to using “WARNING”, and now have the option of using “CA WARNING” or “CALIFORNIA WARNING” instead. Cal. Code Regs., tit. 27, § 25603. These options providebusinesses with the ability to identify the warnings as California-specific warnings, which may be beneficial for products that are also sold outside California. FSOR, at 45. Short-form warnings can also be given on any label size, provided the text is at least 6-point font and is “conspicuous” as defined in the regulations (i.e., “must be displayed with such conspicuousness as compared with other words, statements, designs or devices on the label, labeling, or sign, as to render the warning likely to be seen, read, and understood by an ordinary individual under customary conditions of purchase or use”). Cal. Code Regs., tit. 27, § 25601(c). Under the new regulations, the warning no longer needs to be “in a type size no smaller than the largest type size used for other consumer information.” See id.
Requirements for Catalog and Internet Purchases: OEHHA initially proposed clarifying language for products ordered through a catalog, but that clarifying language was not incorporated into the final regulations. However, the proposed edits to clarify the labeling requirements for products ordered through the Internet were enacted. Specifically, OEHHA clarified that, for one of the warning methods for internet purchases, the warning must be provided on the product display page, not on the internet site generally. Cal. Code Regs., tit. 27, § 25602(b).
Short-Form Warnings for Food Exposure: OEHHA also revised the regulations to specifically allow for a short-form warning for food products. Cal. Code Regs., tit. 27, § 25607.2. As with the safe harbor warning for consumer products, the warning for food products must identify the name of at least one chemical that is a carcinogen and/or reproductive toxicant. Warnings for food products do not need to include the warning symbol required for consumer products (i.e., a yellow equilateral triangle with a bold black exclamation point).
Warnings for Passenger or Off-Highway Motor Vehicle Parts and Recreational Marine Vessels: Businesses involving passenger or off-highway motor vehicle parts and recreational marine vessel parts can comply with Prop 65 by warning for phthalates and lead and suggesting best handling practices on a sign no smaller than 5 inches by 5 inches placed at each retail point of sale or display of products. Cal. Code Regs., tit. 27, §§ 25607.51(a)(3), 25607.50(a)(3), and 25607.52. If a business chooses this form of warning, it may not add to, remove, or substitute the chemicals identified. Id. at §§ 25607.51(b) and 25607.53(b). If the product is sold through the internet or through a catalog, the business must provide a long-form or short-form warning on the webpage or in the catalog for its products.
Three-Year Transition Period: Businesses have three years — until January 1, 2028 — to transition to the new short-form warning requirements. Thus, short-form warnings on any products manufactured on or after January 1, 2028, must adhere to the new regulations to qualify for safe harbor protection. However, any products manufactured and labeled with the old “safe harbor” short-form warning language prior to January 1, 2028, may continue to be sold indefinitely without the need for relabeling. Cal. Code Regs., tit. 27, § 25603(c).
Grace Period for Internet Retailers: Additionally, for internet purchases, a retailer is not responsible for posting or displaying the new warning online until 60 calendar days after the retailer receives a warning or written notice from the manufacturer that updates the short-form warning. Cal. Code Regs., tit. 27, § 25602(b)(2). This provision is effective for purchases made before January 1, 2028. Id. Retailers who have been issued notices of violation for not updating their short-form warnings after notice from manufacturers may have success in challenging those violations under the new rule.
Key Changes:

Effective January 1, 2028, short-form warnings must include at least one chemical name for each applicable endpoint (i.e., cancer and/or reproductive toxicity).
Businesses now have the option of using “WARNING,” “CA WARNING” or “CALIFORNIA WARNING” in warnings.
The short-form warning can be used on any label size, provided the text is at least 6-point font and is “conspicuous” as defined in the regulations.
Short-form warnings can now be used on food products.
Alternative retail sign warning options for phthalates and lead for passenger or off-highway motor vehicle parts and recreational marine vessel parts are now available.
Businesses have until January 1, 2028, to transition to these revised short-form warning requirements on products manufactured and labeled on or after that date.
Any products manufactured and labeled before January 1, 2028, can have the old short-form warnings, regardless of when the products are sold.
60-day grace period for internet retailers during the three-year transition period.

[1] The prior iteration of the rule required that businesses provide a truly “short” warning – (e.g., “Cancer – www.P65Warnings.ca.gov.”).

Red Tape Rollback: DOJ’s Anticompetitive Regulations Task Force

As we predicted before the inauguration, Trump 2.0 antitrust enforcers have shown continued support for the pro-worker, anti-tech antitrust agenda that has permeated recent antitrust enforcement through the last two administration changes. This time around, President Trump appointed competition agency leaders in Chair Ferguson at the Federal Trade Commission (FTC) and AAG Slater at the Department of Justice Antitrust Division (DOJ) who identify with a brand of conservative populism coalescing around many of the same policies and priorities as Biden-appointed competition leaders like FTC Chair Lina Khan. For example, since the inauguration, antitrust agencies under their leadership have forged on with antitrust cases against Big Tech, backed the Biden-era revisions to the merger and labor guidelines, and doubled down on efforts to use antitrust laws to protect American workers.
The Anticompetitive Regulations Task Force
The DOJ recently announced an Anticompetitive Regulations Task Force “to advocate for the elimination of anticompetitive state and federal laws and regulations that undermine free market competition and harm consumers, workers, and businesses.”
The move was instigated by President Trump’s Executive Orders 14192 and 14219, which promote deregulation and direct agencies to identify regulations that “impede private enterprise and entrepreneurship.” To that end, the Task Force will partner with federal agencies to help identify regulations that inhibit competition in the industries they monitor. Significantly, EO 14192 requires that for an agency to promulgate new regulation, it must identify at least ten existing regulations to be repealed. Similar efforts have been announced across other agencies.
In addition to advising agencies, the Task Force “Invites Public Input Targeting Red Tape that Hinders Free Market Competition” and is soliciting public comments at www.Regulations.gov through May 26 on regulations that interfere with businesses’ ability to compete. This is a powerful prospect for those interested in influencing competition policy, since the administration appears to be looking to do away with as much regulation as possible and has shown it can move quickly.
The Task Force also seeks to influence policy by filing amicus briefs in private litigation and weighing in on proposed state legislation. In a “what’s old is new again” way, much of this work has been done for decades by the DOJ’s Policy and Appellate Sections, and examples of this type of competition advocacy spanning more than a decade can be found in its Comments to Federal Agencies, Comments to States and Other Organizations, and Statements of Interest.
Industries of Interest
The Task Force intends to focus on markets that have the greatest impact on American households, including:

Housing
Transportation
Food and Agriculture
Healthcare
Energy

The cited industries of interest are unsurprising, since not only are they currently tightly regulated, but they also represent some of the largest areas of government spending and have been a perennial focus of antitrust investigations, litigation, enforcement, and competition advocacy. Indeed, these industries are held out by some as examples of industries dominated by large players.
The Task Force announcement focuses on the ways red tape regulations hurt small businesses by imposing barriers to entry and inequitably increasing compliance costs. A purported goal is to cut back regulations in order to make it easier for smaller, disruptive companies (“Little Tech!”) to enter these industries and successfully compete. However, the effects of anticompetitive regulations and any regulatory rollbacks will be experienced equally by large and established companies, so the call for identification of areas in need of rollback appears to be open to all.
Potential Impact
While businesses are attempting to navigate the administration’s other swift changes, this Task Force presents an opportunity for some long overdue positive changes, particularly in areas plagued by anticompetitive red tape. For example, in the healthcare industry, the DOJ and FTC have expressed competition concerns relating to Certificate of Need laws in numerous states.
The energy industry could present an interesting policy conundrum for Trump 2.0 antitrust enforcers as the smaller, disruptive market participants the Task Force encourages to speak up are likely non-incumbent alternative and environmentally conscious energy providers. While these issues are likely to be swept into the Task Force’s review, it remains to be seen whether the Trump administration will have an appetite to advocate for these providers’ competitive footing, or instead focus on seeking rollback of ESG-focused regulations.
Similarly, the Task Force’s attention to small businesses means another likely target is occupational licensing. Under the previous Trump administration, the FTC’s Economic Liberty Task Force released a report on Options to Enhance Occupational License Portability, but rolling back licensing requirements altogether could push the administration’s policy goals much further. Here too, regulation repeal would likely face a fair amount of pushback, even from within the industries.
Conclusion
While the fruits of the Task Force’s efforts will likely take a long time to materialize, companies—particularly those in the Housing, Transportation, Food and Agriculture, Healthcare and Energy industries—have a meaningful opportunity to call out barriers to competition that they face and potentially impact competition agencies’ focus.
Listen to this post