GIVE UP THE NAME!: TCPA Defendant Ordered to Identify BPO Involved in Allegedly Illegal Despite Ongoing Criminal Proceedings
Every once in a while I am asked by a client to “keep so and so out of the case.”
The rule that bind attorneys in civil litigation–especially in federal court– lean quite heavily in favor of discovery of known and relevant facts. And whereas a Defendant CERTAINLY has rights to avoid burdensome or needlessly intrusive discovery, simple questions like “who made the calls” or “where did the leads come from” are almost always going to result in a court requiring an answer (no matter how great and powerful your attorney might be.)
In MARGO SIMMONS v. WP LIGHTHOUSE LLC, No. 1:24-cv-01602-SEB-MKK (S.D. Ind. April 22, 2025), for instance, a Defendant refused to identify a BPO that may have made the calls at issue in its behalf.
As the story goes, the BPO provider “is subject to ongoing criminal proceedings” and the Defendant did not want to identify the BPO for fear it would incriminate itself. That is, if the calls the BPO is under investigation for were actually made at the behest of WP Lighthouse it fears being included in the criminal proceeding.
Pause.
Does WP Whitehouse really think the BPO isn’t going to give them up to the feds/state anyway?
Unpause.
The Court in Simmons made short work of the 5th amendment argument here. Businesses have no fifth amendment rights– which is odd since they seem certainly have other constitutional rights–so the court rejected the refusal to answer just that simply. It held the Defendant must identify the BPO and provide additional information related to its relationship with the BPO.
The defendant also refused to provide information regarding its dialing platform–RingCentral–so the Court also ordered it to provide copies of contracts, communications and other records.
Pretty clear lesson here– TCPA defendants can and should fight to protect themselves against needless and burdensome discovery, but simple stuff like the names of other companies involved with phone calls are almost always going to be ordered.
As if to drive home that point the Court in Simmons is going to issue SANCTIONS against the defendant. The Court found the Defendant’s position was not substantially justified and, as a result, intends to award Plaintiff’s counsel– the Wolf Anthony Paronich–the attorneys fees incurred in having to bring the motion to compel.
Eesh. Terrible.
But so it goes.
One last note here, INDIVIDUALS who are sued personally in TCPA cases DO have 5th amendment privilege because the TCPA does contain criminal penalties. So whereas the Defendant in Simmons could not raise the privilege, if you find yourself named personally in a TCPA lawsuit be sure to discuss the issue of privilege with your counsel.
OCR Reaches Settlements with Northeast Radiology and Guam Memorial Hospital Over HIPAA Security Rule Violations
The Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced two HIPAA enforcement actions involving failures to safeguard electronic protected health information (“ePHI”) in violation of the HIPAA Security Rule. Both cases stem from investigations into incidents that exposed sensitive health data, underscoring ongoing federal scrutiny of entities that fail to implement core compliance measures such as HIPAA risk analyses, system activity reviews and workforce access controls, into their security programs.
Northeast Radiology, P.C. (“NERAD”) agreed to a $350,000 settlement after OCR launched an investigation into the company’s use of a medical imaging storage system (“PACS”) that lacked proper access controls. The investigation stemmed from a March 2020 breach report in which NERAD disclosed that, between April 2019 and January 2020, unauthorized individuals had accessed radiology images stored on its PACS server containing unsecured ePHI, gaining access to the ePHI of nearly 300,000 individuals. OCR found that NERAD had not conducted a comprehensive HIPAA risk analysis, failed to implement procedures to monitor access to ePHI, and lacked adequate policies to safeguard sensitive data.
In addition to the monetary settlement, NERAD agreed to a two-year corrective action plan that requires it to conduct a thorough HIPAA risk analysis to assess potential threats to the confidentiality, integrity, and availability of ePHI; implement a risk management plan to address identified security vulnerabilities; establish a process for regularly reviewing system activity, including audit logs and access reports; maintain and update written HIPAA policies and procedures; and enhance its HIPAA and security training program for all workforce members with access to PHI.
Guam Memorial Hospital Authority (“GMHA”) reached a $25,000 settlement following OCR’s investigation into two separate security incidents: a ransomware attack in December 2019 and a 2023 breach involving hackers who retained access to ePHI. Through its investigation, OCR determined that GMHA had failed to conduct an accurate and thorough HIPAA risk analysis to determine the potential risks and vulnerabilities to ePHI held in its systems.
As part of a three-year corrective action plan, GMHA is required to conduct a comprehensive HIPAA risk analysis to identify risks to the confidentiality, integrity and availability of its ePHI; implement a risk management plan to mitigate those risks; develop a process for regularly reviewing system activity, such as audit logs and access reports; and adopt written policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules. GMHA also must strengthen its HIPAA training program, review and manage access credentials to ePHI, and conduct breach risk assessments, and provide supporting documentation to OCR.
Together, these enforcement actions reinforce OCR’s expectation that covered entities and business associates adopt and maintain robust, enterprise-wide security programs capable of preventing, detecting and responding to threats that compromise ePHI.
Financial Industry Concerns Cause FCC to Delay Implementation of Broad Consent Revocation Requirement under TCPA
On April 11, 2025, a controversial new rule by the Federal Communications Commission (FCC) was set to take effect to modify consent revocation requirements under the Telephone Consumer Protection Act (TCPA). But each of the rule’s mandates, as codified at 47 CFR § 64.1200(a)(10), did not go into effect on that date. Just four days before, the FCC issued an Order delaying the rule’s requirement that callers must “treat a request to revoke consent made by a called party in response to one type of message as applicable to all future robocalls and robotexts . . . on unrelated matters.” See FCCOrder, Apr. 7, 2025 (emphasis added).
The plain language of the rule is generally broad. It states that consumers may use “any reasonable method” to revoke consent to autodialed or prerecorded calls and texts, and that such requests must be honored “within a reasonable time not to exceed ten business days.” The rule then goes on to delineate certain “per se” reasonable methods by which consumers may revoke consent. For example, if a consumer responds to a text message with the words “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe,” then the consumer’s consent is “definitively revoked” and the sender is thereafter barred from sending any “additional robocalls and robotexts.”
Many industry participants—especially the banking industry—have been critical of the rule. One major concern is its sprawling effect. For example, under the rule, if a consumer were to respond to a marketing communication with the word “unsubscribe” or the like, then the sender and all of its business units may be forced to cease unrelated forms of communication on issues such as the provision of account notices or other informational matters.
The banking industry has taken issue with the burdens imposed by the rule as well. That include concerns about “numerous challenges” financial institutions face in attempting to modify existing call platforms to comply with the rule, with “substantial work” being required by “larger institutions with many business units with separate caller systems.” See FCC Order ¶ 6. The bank industry has also raised challenges faced by financial institutions in “designing a system that allows the institution . . . [to] not apply a customer’s revocation to a broader category of messages than the customer intended.” See FCC Order ¶ 9.
The banking industry’s concerns ultimately appear to be what persuaded the FCC to stay the implementation of Section 64.1200(a)(10) in part earlier this month. The new rule is now set to not go fully into effect until April 11, 2026. For the time being, that means banks and other companies receiving a consent revocation request from a consumer in response to one type of message may not necessarily be prohibited from communicating with the consumer using “robocalls and robotexts from that caller on unrelated matters.” The FCC nonetheless suggests—albeit vaguely—that it will enforce any additional obligations required under the new Section 64.1200(a)(10), so companies engaging in TCPA-regulated communication practices should take heed accordingly.
MORE IS REQUIRED: Senior Life Insurance Company Out of TCPA Class Action For Too Thin Allegations
Quick one for you this am TCPAWorld.
Senior Life Insurance Company–which has the unfortunate acronym of SLIC– was sued in a TCPA class action in Virginia recently. It moved to dismiss arguing the complaint did not actually state FACTS to show it made the calls at issue.
Earlier this week the Court agreed in Matthews v. Senior Life Insurance 2025 WL 1181789 (E.D. VA April 22, 2025).
Interestingly the complaint actually did allege the calls were “from” SLIC and that a caller was an “employee” of SLIC. Indeed Plaintiff even alleges that during one of the calls he was asked “regarding qualifying for SLIC life insurance.”
Still the court found these allegations too conclusory to state a claim. Unstated here is the assumption that someone else might have been making calls on SLIC’s behalf–which shows a pretty sophisticated court that understands SLIC’s business model likely does not include a bunch of captive w-2 agents calling out to sell policies.
Pretty interesting one that TCPA defendants should keep in mind.
OIG Issues Another Favorable Advisory Opinion on Patient Recruitment Efforts by Community Health Centers
The Office of Inspector General for the Department of Health and Human Services (OIG) recently issued a favorable Advisory Opinion on a proposed arrangement by a community health center (Health Center) designated under Section 330 of the Public Health Service Act (PHSA). The Health Center provides certain social services to individuals (e.g., providing diapers and baby gear to indigent families; assisting crime victims with replacing locks) and proposes to identify individuals in need of primary care services while providing them social services, inform them of available primary care services, and schedule appointments for them to receive such primary care services from the Health Center or a local provider. Noting that the social services would qualify as remuneration that could induce individuals to self-refer to the Health Center, the OIG addressed whether this plan would trigger sanctions under the federal Anti-Kickback Statute (AKS) and the Beneficiary Inducements CMP. Ultimately, the OIG approved the proposal based on the Health Center’s inclusion of several safeguards, including the use of an objective criterion for identifying individuals and the inclusion of multiple providers in the referral list.
The Proposed Arrangement
The Health Center provides both medical and non-medical social services to underserved populations, including childcare, food banks, employment counseling, and legal services, all designed to improve health outcomes and access to healthcare. The Health Center’s scope of project, approved by the Health Resources and Services Administration (HRSA), includes these additional non-medical social services. Under the proposed arrangement, the Health Center would aim to identify individuals in need of primary care during the provision of these social services, inform them about available primary care services, and schedule appointments at the Health Center or refer the individuals to local providers.
OIG’s Conclusion
Despite the arrangement potentially generating prohibited remuneration, the OIG concluded that it would not impose administrative sanctions under the AKS or the Beneficiary Inducements CMP based on the following safeguards that reduce the risk of steering patients to the Health Center:
Objective Criterion for Identifying Individuals. The Health Center uses an objective criterion – whether the individual has seen a primary care provider within the last year –to identify individuals in need of primary care services. This approach does not promote the Health Center and reduces the risk of steering patients.
Non-Promotional Referral List. The list of primary care providers given to individuals is organized in alphabetical order and drafted without promoting the Health Center (e.g., no bold font, underlining, or other emphasis). Additionally, the Health Center implements an “any willing provider” standard, ensuring that any community provider can be included on the list.
Alignment with Health Center’s Mission. The Health Center provides primary care services to underserved populations, regardless of their ability to pay. The proposed arrangement aligns with its designation as a Health Center under Section 330 of the PHSA, which requires activities focused on recruiting and retaining patients from the service area and promoting optimal use of primary care services.
Conclusion
The OIG has issued multiple favorable OIG advisory opinions involving designated community health centers offering some form of remuneration to individuals to improve patient engagement and access to healthcare. In 2020, the OIG approved a health center’s proposal to offer $20 gift cards from “big-box” retailers to incentivize pediatric patients who had previously missed two or more preventive and early intervention care appointments to attend such appointments. In 2012, the OIG issued a favorable advisory opinion on a health center’s proposal to offer $20 grocery store gift cards as an incentive to visit the health center for a screening or clinical service.
Other types of health care organizations, like health systems and hospitals, providers vertically integrated with plans, and providers at financial risk, may find value in offering similar incentives and social services to enhance patient engagement and improve health outcomes. They should consider the factors highlighted in this advisory opinion as ways to reduce risk, but they should exercise caution before proceeding. Advisory opinions are binding only with respect to the requesting party, and designated health centers under Section 330 of the PHSA are unique in that they are statutorily required to conduct a broad range of activities focused on recruiting and retaining patients from the service area and promoting and facilitating use of primary care services.
TOO CLASSY FOR THIS SUIT: What Two Google Rulings Say About How Not To Define A Class
Greetings CIPAWorld!
Here are some exciting case updates involving Google. What started as a headline-making copyright case against Google just became required reading for anyone litigating under CIPA. So, you may be asking, what do copyright and CIPA have in common? Don’t worry… the connection will become clear as we explore these cases. In In re Google Generative AI Copyright Litig., No. 23-cv-03440-EKL, 2025 U.S. Dist. LEXIS 75740 (N.D. Cal. Apr. 21, 2025), a class of creators claimed that Google scraped their copyrighted works without permission to train its AI models. It was pitched as a massive data appropriation lawsuit. Still, the case stumbled temporarily because, as litigators know all too well, the Plaintiffs proposed an improperly defined class.
The Plaintiffs, a group of authors, illustrators, and content creators, accused Google of using their copyrighted materials to train its generative AI models without permission. I find this fascinating! While in law school, I wrote a white paper on this topic, examining the copyright implications of using creative works to train AI systems. The intersection of copyright law and emerging technologies presents novel legal challenges.
In this case, it was a sweeping theory of unauthorized data use, but the case ran into trouble the moment plaintiffs defined their class. They limited membership to individuals “whose exclusive rights under 17 U.S.C. § 106 in their registered works were infringed upon.” In re Google Generative AI Copyright Litig., 2025 U.S. Dist. LEXIS 75740, at *6. In other words, you were only in the class if Google violated your copyright.
It may seem straightforward to target affected individuals, but the Court immediately identified the problem. The class only included those who would ultimately prevail on the merits. As such, the Court couldn’t determine who was in the class without deciding if Google was liable to each potential class member. News flash… that’s what courts call a “fail-safe” class.
Judge Lee explained that “the Court cannot determine who is a member of the class without deciding the merits of each potential class member’s claim, including whether the potential class member has a valid copyright registration, whether Google infringed the class member’s work(s), and whether Google has a valid defense based on fair use or license.” Id. at *10.
As the Ninth Circuit explained in Kamar v. Radio Shack Corp., 375 F. App’x 734, 736 (9th Cir. 2010), a fail-safe class is impermissible because membership is conditioned on a legal finding. It’s circular. Because Plaintiffs’ proposed class was tied to the elements of infringement, the Court struck the class allegations under Fed. R. Civ. P. 12(f). See Google Generative AI Copyright Litig., 2025 U.S. Dist. LEXIS 75740, at *11. Judge Lee didn’t dismiss the case outright, but she gave Plaintiffs fourteen days to amend their definition.
The Court also offered a suggestion: reframe the class based on factual criteria. The revised definition proposed by Plaintiffs, “all persons or entities domiciled in the United States who owned a United States copyright in any work used by Google to train Google’s Generative AI Models during the Class Period,” was precisely that. Id. Judge Lee acknowledged that this revised definition “would not require an upfront determination by the Court that each potential class member will prevail on the merits of an infringement claim.” Id. This makes perfect sense. That’s the difference between a procedural dead-end and a viable class.
This issue isn’t unique to copyright litigation. I mean, this is CIPAWorld, right!? Plaintiffs continue to define classes as people “whose communications were intercepted” or “whose data was unlawfully shared.” These definitions don’t identify a group of people based on facts. They identify a group based on whether they’ve already proven their claim. That’s precisely what courts are rejecting.
I saw a nearly identical issue in In re Google RTB Consumer Priv. Litig., No.: 4:21-cv-2155-YGR, 2024 U.S. Dist. LEXIS 119157 (N.D. Cal. Apr. 4, 2024) a few weeks prior. That case focused on Google’s Real-Time Bidding (“RTB”) platform. Plaintiffs alleged that the system shared sensitive user data with advertisers through real-time ad auctions. The class was defined as Google account holders “whose personal information was sold or shared.” Sounds familiar, right?
Judge Yvonne Gonzalez Rogers found the class definition flawed. Like Judge Lee, she concluded that the definition was “fail safe” because it required resolving the merits. Specifically, whether Google “impermissibly shared” personal information, just to identify who belonged in the class. The Court stated: “The Court agrees with Google that, as written, the class definition is fail safe. The question on which this suit hinges is whether Google impermissibly shared its account holders’ personal information through RTB.” Id. at *18.
But that wasn’t the only issue the court addressed. Judge Rogers also cautioned that removing the contested phrases from the class definition might broaden the class so much that it would include users who weren’t harmed. The Court stated, “Defining a class so as to avoid, on one hand, being over-inclusive and, on the other hand, the fail-safe problem is more of an art than a science.” Id. at *17.
CIPA litigators should take note. These rulings aren’t just about definitions, but they’re about strategy. If the class can’t be defined in a way tethered to objective facts, plaintiffs won’t make it to the merits. Courts aren’t guessing anymore. They’re asking: Can we identify class members without deciding if the law was broken? If the answer is no, certification won’t happen.
The RTB case also surfaced another common problem in CIPA litigation: individualized consent. Judge Rogers denied certification of a Rule 23(b)(3) damages class because determining who saw disclosures and who didn’t would require user-by-user analysis. That inquiry would overwhelm common issues.
Still, the Court acknowledged that a Rule 23(b)(2) injunctive class could be appropriate. While Plaintiffs could not satisfy the predominance requirement for a damages class, the Court noted that prospective injunctive relief might proceed under a different analysis. A forward-looking injunction targets company practices going forward and doesn’t require resolving individualized consent issues for each user. But even injunctive claims must be grounded in a well-defined, objectively ascertainable class.
Despite presenting expert evidence involving millions of RTB bid requests, Plaintiffs faced one more obstacle. The Court was not persuaded that the data set reliably reflected the experience of the proposed class as a whole. Plaintiffs alleged that advertisers could determine what content users viewed and even infer their locations. But the Court held that this wasn’t enough. The data needed to be representative of the entire class experience, and the plaintiffs hadn’t met that burden. See In re Google RTB Consumer Priv. Litig., 2024 U.S. Dist. LEXIS 119157, at *32-33.
For defense counsel, the takeaway is that challenges to class definitions and evidentiary gaps remain powerful early tools to be utilized. Whether the issue is consent variability, class overbreadth, or sampling deficiencies, these rulings reinforce that procedural missteps can and often derail class actions before the merits stage. As CIPA litigation continues to sweep across California, these two Google rulings illustrate where cases are getting stuck. Defining your class around legal conclusions, relying on non-representative data, or ignoring consent variations are no longer technical errors. They are strategic liabilities.
Whether you’re responding to claims involving chat features, embedded scripts, or real-time data flows, the foundational question remains the same: who’s in your class, and how do you know? If answering that requires proving liability, the case may never reach certification.
As always,
Keep it legal, keep it smart, and stay ahead of the game.
Talk soon!
NO LINK, NO LIABILITY: Court Dismisses Vicarious Liability Allegations.
Hey TCPAWorld!
Vicarious liability demands more than a loose business association between entities.
In Gonzalez v. Savings Bank Mutual Life Ins. Co. of Mass., No. EP-24-CV-00289-DB, 2025 WL 1145266 (W.D. Tex. Apr. 15, 2025), Yazmin Gonzalez’s (“Plaintiff”) claims of vicarious liability under the TCPA were dismissed due to insufficient factual allegations linking Savings Bank Mutual Life Insurance Company of Massachusetts (“SBLI”) to Elsworth Rawlings or American Benefits, its alleged subagents.
Background
According to Plaintiff’s First Amended Complaint (“FAC”), in early 2024, Plaintiff began receiving a series of telemarketing calls to their phone number ending in 1859, which was listed on the National Do-Not-Call Registry (“DNCR”). Id. at 1. Plaintiff claims to have received eight calls, each featuring the following prerecorded message:
“Hi, this is Stephanie, I’m calling you from American Benefits… “
Id. Plaintiff alleged that she informed the agent that she was not interested and requested the calls to stop on the fourth call. The calls continued.
On the eighth call, Plaintiff impersonated her mother to identify the company behind the calls. Plaintiff received a call from a number ending in 2986, allegedly the same agent she connected with earlier. The agent then supposedly connected her to “Elsworth Rawlings,” who did not identify the company he worked for, asked qualifying questions, and then informed her that he would be transferring her to an SBLI agent. Plaintiff was transferred to another agent that allegedly introduced themselves as Bell and completed Plaintiff’s insurance application. After the application was approved, she was transferred back to Rawlings. Plaintiff later received an insurance policy bearing Rawlings’ signature. According to Plaintiff, the call line was one long chain which did not disconnect at any point.
Plaintiff’s Allegations
In her FAC, Plaintiff alleges that:
Rawlings is a licensed insurance agent who was appointed by SBLI to market, solicit, and sell insurance on [their] behalf… on February 20, 2024;
SBLI and Rawlings set up a phone system that allowed them to coordinate applications and transfer applicants back and forth between them; and
SBLI appointed Rawlings with the knowledge and expectation that Rawlings would make phone calls to solicit SBLI’s products and services.
Id. at 2.
The Agreement
Under the Agreement executed between SBLI and Rawlings, SBLI authorized Rawlings to solicit and transmit life insurance applications, but expressly prohibited him from presenting himself as an SBLI employee or agent beyond what was contractually permitted. Additionally, Rawlings was required to protect SBLI’s reputation and comply with applicable laws and regulations. Plaintiff further alleged that American Benefits was acting as Rawlings’ agent—and therefore as SBLI’s subagent.
Legal Standard
SBLI moved to dismiss under Rule 12(b)(6), arguing that the complaint failed to plead sufficient facts to state a plausible claim for relief.
The TCPA provides a private right of action under 47 U.S.C. § 227(b), which regulates autodialed or prerecorded calls to cell phones, and 47 U.S.C. § 227(c), which protects those on the DNCR. Plaintiff can establish vicarious liability through common law agency principles by showing the caller acted on behalf of Defendant.
Court’s Analysis
Plaintiff’s FAC raises two causes of action against SBLI:
Eight (8) violations under Section 227(b)(1)(A) by making non-emergency telemarketing robocalls to Plaintiff’s cellular telephone numbers without her prior express written consent, and
Violations under Section 227(c) and 47 C.F.R. § 64.1200(c) for making eight (8) unsolicited calls to Plaintiff’s line, which was registered on the DNCR, without Plaintiff’s consent.
Id. at 3. In its Motion to Dismiss, SBLI argued Plaintiff failed to plead any facts linking the calls to SBLI under Sections 227(b) or 227(c). Because the Agreement executed between SBLI and Rawlings was attached to SBLI’s Motion to Dismiss, the Court treated it as part of the pleadings when evaluating the plausibility of the allegations.
The Court found that Plaintiff failed to plead sufficient facts under 227(b) to establish direct liability against SBLI, as SBLI neither made the calls nor controlled the party that made the calls. Instead, each call was initiated by “American Benefits,” as indicated by the prerecorded message cited in Plaintiff’s Complaint. As a result, the Court held that SBLI cannot be held directly liable for any of the telemarketing calls.
The Court also rejected Plaintiff’s theory of vicarious liability under the TCPA, finding she failed to allege sufficient facts to establish an agency relationship between SBLI and Rawlings. To support vicarious liability, a plaintiff must show actual authority, apparent authority, or ratification. The court emphasized that merely identifying Rawlings as a “subagent” was not sufficient without factual support showing SBLI’s control or acceptance of the calls. Id. at 4.
No Actual Authority
According to the Court, actual authority exists when the principal expressly or implicitly grants the agent authority to perform a particular act. Here, there was no actual authority because Plaintiff did not allege facts showing SBLI controlled the manner and means of the telemarketing campaign or granted Rawlings the power to hire American Benefits. Plaintiff also failed to allege SBLI’s control over Rawlings’s day-to-day operations or any direct connection to the American Benefits telemarketer.
No Apparent Authority
“[A]n agent has apparent authority to bind a principal if a third party reasonably believes the agent has authority to act on behalf of the principal and that belief is traceable to the principal’s manifestations.” Id. at 5. (Citations omitted). Plaintiff failed to demonstrate apparent authority as there is no evidence that SBLI held out Rawlings or the telemarketer as having authority to act on its behalf. Although Plaintiff alleged SBLI gave Rawlings instructions and coordinated systems for processing applications, she did not plead facts showing SBLI’s conduct led her to reasonably believe the caller was acting for SBLI. As a result, the Court held that Plaintiff did not plausibly allege apparent authority.
No Ratification
Lastly, Plaintiff’s ratification theory fails because she did not allege that SBLI had knowledge of any unlawful calls made by Rawlings or American Benefits. To support ratification, the principal must be aware of the conduct and either accept the benefits or fail to repudiate it. The court found no factual basis showing SBLI affirmed or accepted any TCPA-violating conduct, and thus ratification could not establish vicarious liability.
The Court concluded that neither American Benefits nor Rawlings acted as SBLI’s agent under any agency theory, thus, SBLI could not be held liable under Section 227(b). The Court also dismissed Plaintiff’s Section 227(c) claim, since Plaintiff could not attribute a single call to SBLI. As a result, both TCPA claims were dismissed.
Vicarious liability under the TCPA demands more than just an ordinary business association. It requires well-pled facts that establish a clear agency relationship, showing that the defendant exercised control over the caller’s conduct, granted the caller to make the calls, or knowingly accepted the benefits of those calls while being thoroughly aware they violated the law.
U.S. Federal Court Permanently Enjoins Ohio Social Media Age Verification Law From Taking Effect
On April 16, 2025, the U.S. District Court for the Southern District of Ohio Eastern Division issued a ruling permanently enjoining the Ohio Attorney General from enforcing the Parental Notification by Social Media Operators Act, Ohio Rev. Code § 1349.09(B)(1) (the “Act”). The decision follows a preliminary injunction issued in February 2024 by the same court.
The Act was signed into law in July 2023, and was set to take effect on January 15, 2024. The Act would have required social media platforms to verify whether users are at least 16 years old and obtain parental consent before allowing children under 16 to create an account on their platforms. The court held that the Act implicated the First Amendment because it restricted children’s ability to engage in and access speech, and that the Act’s application to certain websites but not others amounted to a content-based restriction because it favored certain forms of engagement with speech over others. In its ruling, the court stated that the Act “resides at the intersection of two unquestionable rights: the rights of children to ‘a significant measure of’ freedom of speech and expression under the First Amendment, and the rights of parents to direct the upbringing of their children free from unnecessary governmental intrusion.” The court held that the government did not satisfy the satisfy the First Amendment’s strict scrutiny standard, which is applied to content-based restrictions. “Generally, First Amendment protections ‘are no less applicable when government seeks to control the flow of information to minors,’” the court said.
The ruling is the latest in a string of lawsuits brought by NetChoice, a tech industry trade association, against similar state laws. It also represents the second permanent injunction NetChoice has secured, following a recent permanent injunction blocking a similar law in Arkansas.
AFFILIATE TRACKING CLASS ACTION: Texts with Links to HasOffers (Tune?) Website Lands Interest Media in Deep TCPA Trouble
Really interesting one for the affiliate world today.
So repeat TCPA litigator ZACHARY FRIDLINE just scored a big victory over Interest Media following text messages allegedly sent to his phone without consent.
As the Court tells it:
“The text messages led to internet properties either owned by Interest Media or an affiliate offer promoted on Interest Media’s platform.” 17 To reach this conclusion, Fridline “track[ed] the tracking links in the text messages” 18 and “capture[d]” a tracking link. 19 This link directed recipients to “imtrk.go2cloud.org,” which is owned by Interest Media. 20
“The Go2Cloud domain is owned by HasOffers, which is an affiliate tracking platform.” 21 “The website imtrk.hasoffers.com is … Interest Media’s account on the HasOffers platform.” 22 These messages “were sent to solicit the purchase of various property, goods, and services offered by advertisers who paid Interest Media to drive traffic to their websites.” 23 “By way of example, some of the advertisers included gift card ‘giveaway’ scams, lead generation websites for sweepstakes, offers for televisions, and offers for iPhones.” 2
The only part of this that doesn’t make sense to me is that I thought HasOffers changes its name to Tune like 10 years ago.
Regardless, in Fridline v. Interest Media, 2025 WL 1162492 (M.D. Pa April 21, 2025) the Court held these allegations were sufficient to state a claim against Interest Media.
Unlike the caselaw Interest Media has relied upon, Plaintiff does not merely “believe[ ] the identified phone number[s]” are “owned by defendant.”29 Instead, Plaintiff described how Defendant’s business model is predicated on solicitation and explained how the tracking links directed recipients to “internet properties either owned by Interest Media or an affiliate offer promoted on Interest Media’s platform.”30 He then identified an example tracking link that he traced to a website owned by Interest Media found on a known affiliate tracking platform domain that Defendant maintains an account with. 31 These allegations provide the requisite factual support “to justify that a call came from” Defendant. 32 Nor can it be said that these allegations are unclear or conclusory. Plaintiff has articulated a detailed narrative based on clear factual allegations.
So there you go.
Probably didn’t help Interest Media’s big law counsel argued the messages were sent without an ATDS but that isn’t even a requirement under the TCPA’ DNC provisions. Indeed the argument was so bad the Court simply said it would “set aside” that argument, which is code for “I am not even going to waste my time with this.”
Yikes.
Crazy that people pay big law lawyers to make arguments that are absolutely meritless. But what are you going to do? (I mean, other than hire better lawyers.)
Regardless another big win for a litigator and bad loss for a lead generator using big law to defend it.
NO INDEMNITY: ReNu Solar Loses Effort to Obtain Default Judgment Against TechMedia Group and It Highlights the Issue With Indemnity Agreements
So here’s one you haven’t heard before.
Company buys lead, makes calls, gets sued under the TCPA.
Ok ok you’ve heard THAT one before.
But then company sues lead seller for indemnity and lead seller doesn’t show up in court. Company seeks default judgment against lead seller.
What result?
Well in Jackson v. Renu, 2025 WL 1162491 (M.D. Pa. April 21, 2025) the Court held no judgment against the seller is possible until the underlying TCPA defendant actually tasted defeat in the TCPA case.
In Jackson the contractual agreement between ReNu and TechMedia called upon TechMedia to comply with the TCPA and indemnify ReNu for any judgment that was entered against it. But since no judgment has yet been entered against ReNu the Court found TechMedia did not yet owe ReNu indemnity.
Ouch.
Notably the judgment probably could have (should have) asked for recovery of attorneys fees but apparently ReNu’s lawyers didn’t advise the court of whether ReNu had chose its own lawyers to defend it or those chosen by TechMedia. So NO award was entered at all.
My goodness.
Setting aside the potential screw up here, Jackson underscores a huge problem with indemnity agreements in lead generation. Lead buyers often assume such agreements make them bullet proof against suit.
Ridiculous.
The lead buyer that made the call is always the first one to be sued and a mere indemnity agreement does not mean the buyer will be out of the case. AT BEST it means the lead buyer will recover money against the leas seller one day. But as Jackson points out that “one day” is usually after the lead buyer has already faced a potentially massive judgment.
Not good.
Relying on indemnity agreements in lead gen contracts is NOT a smart path folks. Yes, you still need to include those terms in your contracts but VETTING your vendors and working with QUALITY PARTNERS you can trust (preferably those that abide by the R.E.A.C.H. standards) is essential.
CFPB Suggests Shift In Supervision and Enforcement Priorities
On April 16, the Consumer Financial Protection Bureau (CFPB) seemingly provided its employees with a memorandum outlining its ongoing supervisory and enforcement priorities (Memo).1 Although the Memo has not been made publicly available, its contents are consistent with what many in the consumer finance industry assumed would be adopted by the agency’s new leadership.
Importantly, the Memo assists entities subject to CFPB supervision and examination by detailing the areas of interest to CFPB leadership and making clear that there is no intention among such leadership to “pursue supervision under novel legal theories,” instead relying upon the agency’s statutory authority to supervise affected entities. While not fully transparent, it appears likely that this reference to “novel legal theories” is intended to convey to CFPB employees (and the market more broadly) that the agency will not use its statutory authority to designate “larger participants” for supervisory purposes as permitted under the Dodd-Frank Wall Street Reform and Consumer Protection Act. What is wholly unclear, however, is whether industries that have already been designated as “larger participants” by the agency, such as certain consumer reporting agencies, remain subject to ongoing supervision at this time. It also appears unlikely the agency will take on sweeping initiatives to expand its reach, such as how, in recent years, it sought to designate certain consumer leasing products as “credit” despite case law to the contrary.
Five Key Takeaways and Considerations from the CFPB Supervisory and Enforcement Memo
1. Supervisory exams
According to the Memo, such exams will decrease by 50 percent and will focus on “conciliation, correction and remediation of harms subject to consumers’ complaints.” While the Memo does not go into detail as to whether such “complaint drivers” will come from internal complaint tracking or the CFPB database2 that accepts complaints, we believe the focus will be on complaints posted by consumers to the agency database (and possibly, although less likely, to larger public databases like the Better Business Bureau complaint database).
Consumer financial providers should quickly review all of their associated complaints in the CFPB complaint database to ensure that such complaints have been appropriately addressed, with root causes determined and necessary responses performed.
It is also notable that, where consumer harm is found and penalties are assessed, the Memo makes clear that it will send any funds the CFPB obtains “directly to consumers, rather than imposing penalties on companies in order to simply fill the [agency’s] penalty fund.”
2. Insured depository institutions
The Memo suggests that the CFPB will “shift [its focus] back to depository institutions.” Importantly, the Dodd-Frank Act3 provides that the CFPB has supervisory authority over insured depository institutions with more than $10B in assets in connection with such institutions’ compliance with consumer financial protection laws.
Affected banks would be wise to use this time before the appointment of a permanent director of the CFPB (who will likely staff offices consistent with this and the other priorities in the Memo) to ensure that compliance mechanisms related to the provision of consumer financial products and services are appropriate, compliant and reflective of issues identified in recent consumer complaints.
3. Specific product foci
The Memo provides that residential mortgages are a strong priority, especially where there are “identifiable victims” who have suffered “measurable consumer damages” (emphasis in original). Residential mortgages have always been a significant priority regardless of presidential administration, and most residential mortgage loan originators likely have adequate compliance programs. However, a significant unknown is how the CFPB will treat newer consumer financial products offered in the residential mortgage space, like shared appreciation mortgages and home equity investment products. In addition, the Memo notes that violations of the Fair Credit Reporting Act (as it relates to data furnishing violations) and the Fair Debt Collection Practices Act (as it relates to consumer contracts and debts) will also be priorities.
4. Specific constituent foci
The Memo notes that service members and their families, as well as veterans, are included within its priorities. This requirement reflects an understanding of the Dodd-Frank Act’s specific provisions requiring such work and is consistent with the agency’s actions since its inception.4
5. Federalism/coordinated actions with states
The Memo clarifies that the CFPB will “deprioritize” participation in multistate exams except where statutorily required. Further, the Memo provides that the agency will “deprioritize supervision” where states have “ample regulatory and supervisory authority,” unless statutorily required. Importantly, under the Dodd-Frank Act, state attorneys general may “bring a civil action in the name of such State in any district court of the United States in that State or in State court that is located in that State and that has jurisdiction over the defendant, to enforce provisions of this title [the Consumer Financial Protection Act] or regulations issued under this title, and to secure remedies under provisions of this title or remedies otherwise provided under other law.”5 Given the statement in the Memo, it is highly likely that certain consumer financial protection laws not specifically identified therein, such as the Truth in Lending Act and the Electronic Funds Transfer Act, will be of minimal interest to agency officials (unless, of course, interest is driven into these areas based upon consumer complaint volume, as described above).
What’s Next
Like many aspects of compliance that are in a state of flux with the change in presidential administrations, it is also not clear that a permanent CFPB director will share and support the same supervisory and enforcement goals. Once a permanent director is in place (which is anticipated to occur sometime before mid-June based upon recent reports from Senate Banking Committee leadership6), it is likely that the priorities listed above will require revisiting.
1 Note that the materials relied upon by Katten for purposes of this advisory do not appear publicly on the CFPB’s website. However, the materials reviewed appear on CFPB letterhead and, as described herein, are consistent with public positions agency leadership has taken with respect to the nature of future agency activities in light of the recent presidential election.
2 The CFPB complaint database is available at: https://www.consumerfinance.gov/data-research/consumer-complaints/ (last reviewed April 17, 2025).
3 H.R.4173 – 111th Congress (2009-2010).
4 The Dodd-Frank Act (Section 1013(e)) specifically provides that the “Director shall establish an Office of Service Member Affairs, which shall be responsible for developing and implementing initiatives for service members and their families.”
5 12 U.S.C. § 5552(a)(1).
6 See https://www.americanbanker.com/news/senate-eyes-may-for-cfpb-nomination-vote-scott-says which describes Sen. Scott’s prediction regarding the timing of the confirmation of Jonathan McKernan as CFPB Director.
OMB Issues Revised Policies on AI Use and Procurement by Federal Agencies
On April 3, 2025, the White House’s Office of Management and Budget (“OMB”) issued two revised policies on federal agencies’ use and procurement of artificial intelligence (“AI”), M-25-21 (“Accelerating Federal Use of AI through Innovation, Governance, and Public Trust”) and M-25-22 (“Driving Efficient Acquisition of Artificial Intelligence in Government”). These memos are designed to support the implementation of Executive Order 14179 (“Removing Barriers to American Leadership in Artificial Intelligence”), which was signed on January 23, 2025, and largely focuses on removing existing policies on AI technologies to facilitate rapid, responsible adoption across the federal government and improve public services.
The revised memos essentially replace the OMB memos published during the Biden Administration, including M-24-10 (“Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence”), which was issued on March 28, 2024. Key differences in the revised memos include:
a “forward-leaning and pro-innovation” approach to AI that encourages accelerated adoption and acquisition of AI by reducing bureaucratic burdens and maximizing U.S. competitiveness;
empowerment of agency leadership to implement AI governance efforts, risk management and interagency coordination;
transparency measures for the public that demonstrate AI risk mitigation, use, value and efficiency;
allowance of waivers for “high-impact” AI use cases and transparency requirements when justified; and
a strong preference for American-made AI tools and services, as well as for developing and retaining American AI talent.
OMB Memorandum M-25-21: Accelerating Federal Use of AI through Innovation, Governance, and Public Trust
OMB Memo M-25-21 outlines a new framework for the acceleration of federal agencies’ adoption and use of innovative AI technologies by focusing on three key priorities: innovation, governance and public trust. The memo seeks to lessen potential bureaucratic burdens and restrictions that the Administration contends have hindered timely uptake of AI across federal agencies, with the goal of ensuring that the American public receives the maximum benefit from AI adoption.
Scope
The memo applies to “new and existing AI that is developed, used, or acquired by or on behalf of covered agencies” and to “system functionality that implements or is reliant on AI, rather than to the entirety of an information system that incorporates AI.” The memo does not cover AI being used as a component of a National Security System.
Key Provisions
Removing bureaucratic barriers: Agencies are called to streamline AI adoption by reducing unnecessary requirements, increasing transparency, and maximizing existing resources and investments. CFO Act agencies must, within 180 days, publish agency-wide strategies for removing barriers to AI use.
Mandating Chief AI Officers: Agencies must, within 60 days, designate Chief AI Officers (“CAIOs”) to lead AI governance implementation, risk management and strategic AI adoption efforts. The CAIO will serve as the senior advisor on AI to the head of the agency and support interagency coordination on AI (e.g., AI-related councils, standard-setting bodies, international bodies). To further support agencies’ efforts, OMB will convene an interagency council to coordinate federal AI development and use.
Establishing agency AI Governance Boards: Within 90 days, CFO Act agencies must convene their own governance boards to coordinate cross-functional oversight and include representation from key stakeholders across federal agencies, including IT, cybersecurity, data, and budget.
Enabling workforce readiness: The memo encourages agencies to leverage AI training programs and resources to upskill federal agencies on AI technology. Agencies also are encouraged to set clear expectations for their workforce on appropriate AI use and designated channels for delegating accountability for AI risk.
Implementing oversight over high-impact AI: Agencies must implement risk management practices for “high-impact” AI use cases. AI is considered “high-impact” if “its output serves as a principal basis for decisions or actions that have a legal, material, binding, or significant effect on rights or safety.” For these high-impact use cases, agencies must:
conduct pre-deployment testing to identify both potential risks and benefits of the AI use case;
complete AI Impact Assessments before and throughout deployment that evaluate the intended purpose and expected benefit, performance of the model, and ongoing impacts of its use;
ensure adequate human oversight by providing AI training and implementing appropriate safeguards for human intervention;
offer remedies or appeals for individuals affected by AI-enabled decisions; and
cease or pause use of high-impact AI that does not comply with the minimum requirements set forth in the memo.
Mandating transparency measures to the public: Agencies must at least annually inventory and publicly publish their AI use cases. Agencies also must publicly report risk determinations and waivers from minimum practices for high-impact AI alongside a justification.
OMB Memorandum M-25-22: Driving Efficient Acquisition of Artificial Intelligence in Government
OMB Memo M-25-22 complements Memo M-25-21 by instructing federal agencies how to acquire AI responsibly. The memo focuses on three overarching themes: fostering a competitive American marketplace for AI to ensure high-quality, cost-effective solutions for the public; safeguarding taxpayer dollars by tracking AI performance and managing risks; and promoting effective AI acquisition through cross-functional engagement.
Scope
The memo applies to “AI systems or services that are acquired by or on behalf of covered agencies,” and exempts AI acquired for use as a component of a National Security System, among other exemptions.
Key Provisions
Investing in the American AI marketplace: The memo encourages agencies to maximize investments by purchasing U.S.-developed AI solutions where possible. Agencies also are encouraged to develop and retain AI talent with relevant technical expertise who can contribute to ongoing efforts to scale and govern AI.
Protecting American privacy and IP rights: Agencies must ensure that any acquired AI system complies with existing privacy and IP legal requirements. Agencies also must have appropriate processes in place that cover the use of government data. For example, procurement contracts should include terms that prevent vendors from processing such data for the purpose of training, fine-tuning or developing an AI system without explicit consent from the agency.
Ensuring competitive, cost-effective procurement: Procurement contracts should protect against vendor lock-in through requirements, including vendor knowledge transfers, data and model portability, and transparency. Agencies also may incentivize competition by leveraging performance-based contracting to ensure satisfactory model performance.
Assessing AI risks across the lifecycle: Agencies must ensure that contracts include the ability to regularly monitor and evaluate the performance, risks, and effectiveness of an AI system or service. Agencies also are encouraged to require vendors to perform regular assessments and mitigate new risks or correct changes to AI model performance. Contracts also must comply with the minimum risk management practices for high-impact AI use cases (outlined in OBM Memo M-25-21).
Contributing to a shared repository of best practices: Within 200 days, GSA, in coordination with OMB, will develop an online repository of tools and resources to enable responsible AI procurement. Agencies should contribute to this repository where possible to foster knowledge-sharing and interagency cooperation.
Requiring unanticipated disclosures of vendor AI use: Agencies should consider including solicitation provisions in their contracts that require disclosure of unanticipated vendor use of AI.