Utah Pioneers App Store Age Limits
Utah’s governor recently signed the first law which puts age restrictions on app downloads. The law (the App Store Accountability Act, SB 142), was signed yesterday (Wednesday, April 26, 2025). We anticipate that the law may be challenged, similar to NetChoice’s challenge to the Utah Social Media Regulation Act and other similar state laws.
Once in effect, the law will apply to both app stores and app developers. There are various effective dates – May 7, 2025, May 6, 2026 and December 31, 2026— as outlined below. Among its requirements are the following:
Age Verification: Under the new law, beginning May 6, 2026, app stores will need to verify the age of any user located in the state using “commercially reasonable” measures. Prior to that time, the Division of Consumer Protection will need to create rules that outline how age can be verified. Also starting May 2026, app developers will need to verify age categories “through the app store’s data sharing methods.” Age categories are children (users under age 13), younger teenagers (users between the ages of 13 and 15), older teenagers (users aged 16 or 17), and adults (users aged 18 and up).
Parental Consent/Notification: Beginning May 6, 2026, app stores will need parental before a minor can download or purchase an app, or make in-app purchases. Consent is to be obtained through a parental account that links to the child’s account. At the same time, app developers will need to verify that app stores have parental consent for minors’ accounts. They also have to notify app stores of any significant changes to their apps. When this happens, the app stores will need to notify users and parents of these changes and get parents’ renewed consent. App stores will also need to notify developers any time parents revoke their consent.
Contract Enforcement: Under the new law, beginning May 6, 2026, app stores will not be able to enforce contracts against minors unless they already have consent from the minors’ parents. This applies to app developers as well, unless they verify that the app store has consent from the minor’s parents.
Safe Harbor: The new law contains safe harbor provisions for app developers. Developers won’t be responsible for violating this law if they rely in good faith on information provided by the app store. This includes age information as well as confirmation that parents provided consent for minors’ account. For the safe harbor to apply, developers also need to follow the other rules set out for them by the law (described above).
Putting it into Practice: While we anticipate that this law will be challenged, it signals that states are continuing their focus on laws relating to children in the digital space. This is the first law that is focused on app stores, but we expect to see more in the future.
James O’Reilly contributed to this post.
Joint Bulletin Warns Health Sector of Potential Coordinated Multi-City Attack
On March 20, 2025, the American Hospital Association (AHA) and the Health-ISAC issued an alert to the health care sector warning of a social media post that posed a potential threat “related to the active planning of a coordinated, multi-city terrorist attack on hospitals in the coming weeks.” The post targets “mid-tier cities with low-security facilities.”
The alert recommends “that teams review security and emergency management plans and heighten staff awareness of the threat,” including physical security protocols and practices, such as “having a publicly visible security presence.”
The alert, updated on March 26, 2025, indicates that the FBI has not identified a “specific credible threat targeted against hospitals in any U.S. city.” Nonetheless, the threat is concerning, and the recommendations of the AHA and Health-ISAC are worth noting.
Pennsylvania Teacher’s Union Faces Class Action over Data Breach
The Pennsylvania State Education Association (PSEA) faces a class action resulting from a July 2024 data breach. The proposed class consists of current and former members of the union as well as PSEA employees and their family members. The lawsuit alleges that the union was negligent and breached its fiduciary duty when it suffered a data breach that affected Social Security numbers and medical information. The complaint further alleges that the PSEA failed to implement and maintain appropriate safeguards to protect and secure the plaintiffs’ data.
The union sent notification letters in February 2025 informing members that the data acquired by the unauthorized actor contained some personal information within the network files. The letter also stated, “We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted [. . .] We want to make the impacted individuals aware of the incident and provide them with steps they can take to further protect their information.” The union also informed affected individuals that they did not have any indication that the information was used fraudulently.
The complaint alleges “actual damages” suffered by the plaintiff related to monitoring financial accounts and an increased risk of fraud and identity theft. Further, the complaint states that “the breach of security was reasonably foreseeable given the known high frequency of cyberattacks and data breaches involving health information.”
In addition to a claim of negligence, the class alleges that the breach violates the Federal Trade Commission Act and the Health Insurance Portability and Accountability Act. The class is demanding 10 years of credit monitoring services, punitive, actual, compensatory, and statutory damages, as well as attorneys’ fees.
Personal Information Released in JFK Files
I am not sure what the rush was to make the JFK assassination files available, but the perceived urgency caused Social Security numbers of individuals involved in the investigation to be released to the public. Although The Washington Post found 3,500 Social Security numbers in the documents, it is estimated that many were duplicates, and over 400 individuals were affected.
The Social Security numbers contained in the over 60,000 pages of documents can be accessed online or in person. The Washington Post reported the unauthorized disclosure, and the National Archives then screened the documents “so that the Social Security Administration could identify living individuals and issue them new numbers.”
Unfortunately, the documents were not previously screened for personal information, a basic tenet of protection. It is another message reaffirming that the new administration does not prioritize data security.
Phishing Attacks – Anyone Can Get Owned
HaveIBeenPwned is a website that allows users to check whether their data has been involved in data breaches. The website’s creator, Troy Hunt, was the subject of a phishing attack earlier this week. The attack was unrelated to the HaveIBeenPwned website and compromised Hunt’s personal Mailchimp account.
According to Hunt, he received an email purporting to be from Mailchimp regarding a flag on his account. When he clicked the “Review Account” button, he was taken to a fake Mailchimp domain. Hunt notes in a blog post that he manually entered his credentials and that they did not auto-populate from his password management application as they usually would.
Hunt received and entered a one-time password and was taken to a hung page. Now suspicious, he then reportedly logged into the legitimate Mailchimp site and changed his password, but the phishing attack was likely an automated process. Within minutes, Hunt had already received notification emails from Mailchimp regarding login activity and list exports from another unknown IP address. Hunt noted that the list included approximately 16,000 records, including current and former blog subscribers.
Below is the screenshot shared on Hunt’s blog:
Our conception is that a typical phishing email tends to be poorly worded, involves an unusual payment request, and is a blatantly implausible email. However, this incident demonstrates that phishing attacks are becoming increasingly sophisticated and can happen to anyone.
Takeaways:
Sense of urgency can be subtle – As bad actors become more sophisticated, not all phishing emails will create an unbelievable sense of urgency, such as asking users to update their payment or billing information to unlock an account. In Hunt’s case, he acknowledged that the notification created “just the right amount of urgency without being over the top.” Any email from an organization or person creating a sense of urgency warrants pause and contemplation before clicking or performing any action.
Circumvention of password manager could be a sign – Password managers are designed to autofill credentials on known websites. Hunt realized that his credentials did not populate into the fake Mailchimp site, which, in hindsight, was a potential sign of unusual activity. If a site that typically remembers your credentials requests them, this might be (though it is not always) a sign of a spoofed domain.
One-time passwords are not foolproof – Although multi-factor authentication provides enhanced security over using only usernames and passwords, one-time passwords cannot protect against such automated phishing attacks because once the user enters the one-time password onto the spoofed site, the bad actor now has access to the legitimate account.
Passkeys are more phishing-resistant – A passkey is a password replacement, where a digital credential tied to a user’s account allows them to authenticate into the account. Passkeys rely on biometrics or swipe patterns to sign users into accounts. Passkeys cannot be stolen as easily as passwords because they require the bad actor to have access to users’ biometrics or swipe patterns, which is not readily accessible.
No single tip or trick can help prevent phishing attacks, but remaining vigilant and enacting certain security measures can minimize the chances of becoming subject to such social engineering schemes.
THE WHITE COAT DIDN’T BETRAY YOU—THE PIXEL DID: Judge Keeps Florida Wiretap Case Against Hospital Alive
Greetings CIPAWorld!
Your search history reveals more about you than you might realize. If you’ve ever noticed suspiciously specific medical ads appearing after researching health concerns online, you’re not just being paranoid; you’re witnessing sophisticated tracking technologies at work.
A federal court in Florida handed down a decision that should make us pause before typing that symptom into a healthcare website’s search bar. Here, this case involves a patient who claimed her medical searches on Orlando Health’s website allegedly led to targeted Facebook ads for her specific medical conditions. See W.W. v. Orlando Health, Inc., No. 6:24-cv-1068-JSS-RMN, 2025 U.S. Dist. LEXIS 40038 (M.D. Fla. Mar. 6, 2025).
Judge Julie S. Sneed’s ruling in W.W. v. Orlando Health, Inc. denied most of the healthcare provider’s attempts to dismiss the lawsuit, potentially opening the door for closer scrutiny of how medical websites track and share our sensitive health information. As someone who has researched medical information online in the past (who doesn’t these days?), I wondered exactly what happens when I click that “search” button on my insurance carrier’s website.
The Plaintiff alleged she used Orlando Health’s website to research conditions, including ileostomy, heart problems, and fatty liver disease. She later noticed Facebook advertisements popping up for products related to these exact conditions—ileostomy bags, heart failure treatments, and services from Orlando Health neurologists. Coincidence? Plaintiff didn’t think so, and Judge Sneed found her claims plausible enough to proceed.
However, the medical context elevates this case beyond another privacy suit. The Court noted that Orlando Health operates over 100 medical facilities. It encourages patients to use its website to communicate medical symptoms, conditions, and treatments via the search bar and related webpages, including access to appointment booking and the MyChart patient portal. As such, this wasn’t a casual browsing session but an online extension of the doctor-patient relationship.
What makes this case particularly concerning is the nature of the tracking technology itself. Plaintiff alleges that Orlando Health employed tracking tools that operate largely invisibly to users. Judge Sneed acknowledged this reality, noting these technologies are hidden from users’ view and difficult to avoid, even for the particularly tech-savvy user. This creates a troubling power imbalance—patients have no meaningful way to opt out of tracking that they don’t even know is happening.
Even more fascinating is how the court analyzed the claims of the Florida Security of Communications Act (“FSCA”). I think it’s important I highlight the FSCA… after all, I am a Floridian. The FSCA prohibits the intentional interception of electronic communications, and Orlando Health argued that what was being tracked was merely metadata, not the actual content of communications. But Judge Sneed distinguished this case from previous decisions involving commercial websites.
The key difference? Medical searches reveal something fundamentally private about us. For instance, if I decide to search “cardiologist for heart palpitations,” I’m not just clicking links—I’m communicating sensitive information about my health condition. The Court recognized this distinction, noting that information about a user’s medical conditions and healthcare searches constitutes ‘contents’ protected under these statutes.
To break this down further, the FSCA defines “contents” as “any information concerning the substance, purport, or meaning of that communication.” Fla. Stat. § 934.02(7). The Court emphasized that URLs and search queries on a medical website reflect the message Plaintiff sought to convey to Defendant through its website, thus satisfying the statutory standard. Judge Sneed’s approach relied on Black’s Law Dictionary to define “substance,” “purport,” and “meaning,” grounding her interpretation in long-standing legal usage.
As a result, Judge Sneed determined that W.W. successfully alleged all three required elements for an FSCA claim: (1) that Orlando Health intentionally intercepted her electronic communications, (2) that these interceptions captured protected “contents” under the statute, and (3) that she had not consented to this interception. The Court emphasized that Plaintiff has adequately alleged that the electronic communications she claims were intercepted were ‘contents’ as defined by the FSCA.
Orlando Health relied heavily on a Florida case, Jacome v. Spirit Airlines, Inc., No. 2021-000947-CA-01, 2021 WL 3087860, at *1 (Fla. Cir. Ct. June 17, 2021), which involved “session replay” technology tracking users’ movements on a commercial airline website. But Judge Sneed pointed out three crucial differences: first, Jacome involved different tracking technology in a non-healthcare context; second, the very case Orlando Health relied on actually supported W.W.’s position by acknowledging that medical records deserve protection; and third, other courts facing similar healthcare tracking cases have reached conclusions favorable to patients. The Court held that Plaintiff’s claims are predicated on the tracking tools’ interception of her communications… not on the simple fact that her movements on Defendant’s website were tracked.
Moreover, the Court analyzed multiple cases where similar tracking tools on healthcare websites were found potentially liable under wiretap laws. In A.D. v. Aspen Dental Mgmt., Inc., No. 24 C 1404, 2024 WL 4119153, at *5-7 (N.D. Ill. Sept. 9, 2024), the Northern District of Illinois denied a motion to dismiss, finding that URLs containing search terms about medical conditions constituted protected content. Similarly, in R.C. v. Walgreen Co., 733 F. Supp. 3d 876, 885, 903 (C.D. Cal. 2024), the Court found that when tracking technologies shared information about “sensitive healthcare products” with Meta and Google, resulting in targeted ads, this information “reveal[ed] a substantive message about [the p]laintiffs’ health concerns.”
As such, the ruling on the FSCA claim is principally significant because, as Judge Sneed noted, “the FSCA was modeled after the Wiretap Act, [and] Florida courts construe the FSCA’s provisions in accord with the meaning given to analogous provisions of the Wiretap Act.” W.W., 2025 U.S. Dist. LEXIS 40038, at *7. This means the Court’s interpretation of what constitutes “contents” under the FSCA directly influenced its analysis of the federal Wiretap Act claim.
What I found particularly striking was the Court’s reference to the Ninth Circuit’s decision in In re Zynga Priv. Litig., 750 F.3d 1098 (9th Cir. 2014). While that case found that basic website header information wasn’t protected content, it explicitly stated that “a user’s request to a search engine for specific information could constitute a communication such that divulging a URL containing that search term to a third party could amount to disclosure of the contents of a communication.” This distinction has become crucial in healthcare privacy cases, with courts like the Northern District of California in Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1076 (N.D. Cal. 2023), recognizing that “a URL disclosing a ‘search term or similar communication made by the user’ ‘could constitute a communication’ under the [Wiretap Act].”
Next, the Court also looked at similar cases in other jurisdictions. In In re Grp. Health Plan Litig., 709 F. Supp. 3d 707, 712, 718, 720 (D. Minn. 2023), a Minnesota Court determined that technology that “surreptitiously track[ed] users’ interactions on the [defendant’s w]ebsites and transmit those interactions to [Meta]” was actionable under the Wiretap Act. Similarly, in Doe v. Microsoft Corp., No. C23-0718-JCC, 2023 WL 8780879, at *9 (W.D. Wash. Dec. 19, 2023), a Washington Court found similar allegations sufficient under California’s Invasion of Privacy Act (“CIPA”).
The Court’s analysis demonstrated a sophisticated understanding of how modern tracking tools actually function. Judge Sneed described how the Facebook Pixel works, explaining that it causes the user’s web browser to instantaneously duplicate the contents of the communication with the website and send the duplicate from the user’s browser directly to Facebook’s server. In a sense, it’s like having a third person secretly photocopy your private medical forms as you fill them out—except it happens digitally, all without your knowledge. That’s a scary thought.
One crucial legal issue the Court had to address was whether Orlando Health could be liable under the Wiretap Act as a party to the communications. Normally, a party to communications can’t “intercept” them under the law. But Judge Sneed found that the “crime-tort exception” might apply, which creates liability when a party intercepts communications “for the purpose of committing any criminal or tortious act.” 18 U.S.C. § 2511(2)(d). This exception has created a split among federal courts, with some like B.K. v. Eisenhower Med. Ctr., 721 F. Supp. 3d 1056, 1065 (C.D. Cal. 2024) rejecting its application, while others like Cooper v. Mount Sinai Health Sys., Inc., 742 F. Supp. 3d 369, 380 (S.D.N.Y. 2024) have held that “A defendant’s criminal or tortious purpose of knowingly disclosing individually identifiable health information to another person in violation of HIPAA may satisfy the crime-tort exception.”
Let’s just think about this for a moment. When you visit your healthcare provider’s website and search for information about a medical condition, you’re effectively having a private conversation about your health. This is a conversation you reasonably expect to stay between you and your provider. Plaintiff alleges that Orlando Health allowed Facebook and Google to listen to this conversation without her knowledge or consent and then use what they heard to sell her things. That’s not just invasive—it’s monetizing vulnerability. The Complaint even describes Meta Pixel and Google’s APIs duplicating real-time communications and sending them to third-party servers without user awareness.
I remember searching for allergy specialists on my insurance provider’s website, only to suddenly see my social media feeds filled with ads for allergy medications. It felt like someone had been reading over my shoulder—because in a digital sense, they had been. This is a troubling loophole in our digital privacy framework. While HIPAA strictly regulates how healthcare providers handle patient information in traditional contexts, the rules often become murky in digital environments. The law hasn’t caught up to the technology, and it’s essential that case law helps close that gap.
The Court recognized other claims as well, including breach of confidence. Judge Sneed emphasized the profoundly personal nature of health information, quoting Norman-Bloodsaw v. Lawrence Berkeley Lab., 135 F.3d 1260, 1269 (9th Cir. 1998): “One can think of few subject areas more personal and more likely to implicate privacy interests than that of one’s health.” Additionally, the Court also allowed unjust enrichment and breach of implied contract claims to proceed, acknowledging that private health information has economic value that healthcare providers shouldn’t be able to exploit without consent. Judge Sneed agreed that Defendant obtained enhanced advertising services and more cost-efficient marketing from the data disclosures, which plausibly conferred a benefit on Orlando Health without Plaintiff’s consent.
In an interesting development for data privacy attorneys, the Court expressly recognized the economic value of personal health information. As Judge Sneed noted, courts should not “ignore what common sense compels it to acknowledge—the value that personal identifying information has in our increasingly digital economy…. Consumers too recognize the value of their personal information and offer it in exchange for goods and services.” W.W., 2025 U.S. Dist. LEXIS 40038, at *32-33 (quoting In re Marriott Int’l, Inc., 440 F. Supp. 3d 447, 462 (D. Md. 2020)).
Interestingly, the Court did dismiss one claim—invasion of privacy by intrusion upon seclusion—finding that Florida law requires an intrusion into a private “place” rather than merely a private activity. As Pet Supermarket, Inc. v. Eldridge, 360 So. 3d 1201, 1207 (Fla. Dist. Ct. App. 2023) specified, “Florida law explicitly requires an intrusion into a private place and not merely into a private activity.” This reveals a gap in privacy law that has not yet adjusted to the digital age, where violations occur in virtual rather than physical spaces.
The irony here is palpable. Healthcare providers are bound by HIPAA and other regulations that severely restrict how they can share our health information in traditional contexts. Yet some providers may allow tech companies to access this information through their websites with far less oversight.
Judge Sneed’s decision aligns with similar rulings in cases like D.S. v. Tallahassee Mem’l HealthCare, No. 4:23cv540-MW/MAF, 2024 WL 2318621, at *1 (N.D. Fla. May 22, 2024), and Cyr v. Orlando Health, Inc., No. 8:23-cv-588-WFJ-CPT (M.D. Fla. July 5, 2023). In Tallahassee Memorial, the Court denied dismissal of identical claims where a healthcare provider allegedly disclosed patient information to Meta and Google through website tracking. Similarly, in Cyr—another case against Orlando Health itself—the Court found the plaintiff’s claims plausible and worthy of proceeding past the pleading stage. This suggests that Courts are increasingly receptive to these digital privacy concerns in the healthcare context.
All in all, healthcare marketers may need to rethink their digital strategies, and patients might finally gain transparency into how their online health searches are being monetized. The next time you search for symptoms online or book a medical appointment through a website, remember that a seemingly private digital conversation might have more participants than you realize.
ANCIENT TEXTS: Plaintiff Brings Class Action Against Ancient Cosmetics 3 years 364 Days After Text Was Sent
When people tell you the statute of limitations for a TCPA violation is four years– we really mean it.
Back on March 25, 2021 a company called Ancient Cosmetics allegedly sent a marketing text message to a lady named Patrice Gonzalez.
At that time Tom Brady had just won a Super Bowl over the Chiefs, that big ship Ever Given was still stuck in the Suez canal and the Czar was still working in big law.
Yeah, that was a looooong time ago.
But just this week Ms. Gonzalez filed a TCPA class action lawsuit against Ancient Cosmetics over the ancient text messages–what are the odds of that BTW?–and its a great reminder to folks.
Compare!
What you do today in TCPAWorld has consequences for a loooong time to come.
That means you need to be keeping records of consent–especially if you are buying leads–for that entire time.
And yes people WILL sue you 3 years, 364 days after you allegedly violate the TCPA.
Gross, right?
Let those who have ears to hear, hear.
Mexico’s New Personal Data Protection Law: Considerations for Businesses
On March 20, 2025, Mexico’s new Federal Law on the Protection of Personal Data held by Private Parties (FLPPDPP) published in the Official Gazette of the Federation. Effective March 21, the new law replaces the FLPPDPP published in July 2010.
Among the key changes the decree and new FLPPDPP introduce is the dissolution of the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI). Before the decree’s publication, INAI served as an autonomous regulatory and oversight authority for matters related to transparency, information access, and personal data protection. As of March 21, 2025, these responsibilities will be transferred to the Ministry of Anticorruption and Good Governance (Ministry), a governmental body reporting directly to the executive branch. The Ministry will now supervise, oversee, and regulate personal data protection matters.
Related to personal data protection, companies may wish to consider the following points when preparing to comply with the new FLPPDPP:
The definition of “personal data” is amended to remove the previous limitation to natural persons, expanding the scope to any identifiable individual—when their identity can be determined directly or indirectly through any information.
The law now requires that the data subject give consent “freely, specifically, and in an informed manner.”
Public access sources are now limited to those the law explicitly authorizes for consultation, provided no restrictions apply, and are only subject to the payment of the applicable consultation fee.
The scope of personal data processing expands to encompass “any operation or set of operations performed through manual or automated procedures applied to personal data, including collection, use, registration, organization, preservation, processing, communication, dissemination, storage, possession, access, handling, disclosure, transfer, or disposal of personal data.”
As a general rule, the data subject’s tacit consent is deemed sufficient for data processing, unless the law expressly requires obtaining prior explicit consent.
Regarding the privacy notice, the new FLPPDPP requires data controllers to specify the purposes of processing that require the data subject’s consent. Additionally, the express obligation to disclose data transfers the controller carries out is eliminated.
Resolutions the Ministry issues may be challenged through amparo proceedings before specialized judges and courts.
Takeaways
1.
Although this amendment does not introduce substantial changes with respect to the obligations of those responsible for processing personal data, companies should review their privacy notice and, if necessary, adjust it to the provisions of the FLPPDPP including, where appropriate, replacing references to the INAI.
2.
If any data protection proceedings were initiated before the INAI while the previous law was in effect, the provisions of the prior law will continue to govern such proceedings, with the exception that the Ministry will now handle them.
3.
The executive branch will have 90 days to issue the necessary amendments to the new FLPPDPP regulations. Companies should monitor for the amendments’ publication to identify changes that may impact their compliance obligations under the new law.
Read in Spanish/Leer en español.
China Releases New Rules Regarding the Use of Facial Recognition Technology
On March 21, 2025, the Cyberspace Administration of China and the Ministry of Public Security jointly released the Security Management Measures for the Application of Facial Recognition Technology (the “Measures”), which will become effective on June 1, 2025. Below is a summary of the scope and certain of the key requirements of the Measures.
Scope of Application of the Measures
The Measures apply to activities using facial recognition technology to process facial information to identify an individual in China. However, the Measures do not apply to activities using facial recognition technology for research or algorithm training purposes in China.
Facial information refers to biometric information of facial features recorded electronically or by other means, relating to an identified or identifiable natural person, excluding information that has been anonymized.
Facial recognition technology refers to individual biometric recognition technology that uses facial information to identify an individual’s identity.
Specific Processing Requirements for Facial Recognition Technology
The Measures include specific processing requirements which must be complied with when activities are in scope of the Measures. These include:
Storage: The facial information should be stored in the facial recognition device and prohibited from external transmission through the Internet, unless the data handler obtains separate consent from the data subject or is otherwise permitted by applicable laws and regulations.
Privacy Impact Assessment (“PIA”): The data handler should conduct a PIA before processing the data.
Public Places: Facial recognition devices can be installed in public places, subject to the data handler establishing the necessity for maintenance of public security. The data handler shall reasonably determine the facial information collection area and display prominent warning signs.
Restriction: The data handler should not use facial recognition as the only verification method if there is any other technology that may accomplish the same purpose or meet the equivalent business requirements.
Filing Requirement: If the data handler processes facial information of more than 100,000 individuals through facial recognition technology, it should conduct a filing with the competent Cyberspace authority at the provincial level or higher within 30 business days upon reaching that threshold. The filing documents should include, amongst other things, basic information of the data handler, the purpose and method of processing facial information, the security protection measures taken, and a copy of the PIA. In cases of any substantial changes of the filed information, the filing shall be amended within 30 business days from the date of change. If the use of facial recognition technology is terminated, the data handler shall cancel the filing within 30 business days from the date of termination, and the facial information involved shall be processed in accordance with the law.
Will Texas Become the First State to Enact a “Mini-CFIUS” Review Process?
On March 13, 2025, the Texas Legislature introduced HB 5007, which, if enacted, could establish the first US state regime tasked with screening foreign investments on national security grounds.[1]
To be sure, this is not the first attempt by Texas to regulate acquisitions by foreign buyers within the state. The Lone Star Infrastructure Protection Act[2] (LIPA), which took effect in June 2021, prohibits Texas businesses from contracting with entities owned or controlled by individuals from China, Russia, North Korea and Iran if the contracting relates to critical infrastructure.[3] In addition, many other states have passed legislation limiting certain foreign investments into agricultural land within their borders.[4] Others are debating similar legislation.
HB 5007 is wholly different. It calls for the formation of a Texas Committee on Foreign Investment (TCFI). Modeled on the federal government’s interagency Committee on Foreign Investment in the United States or CFIUS, TCFI would be comprised of representatives from various Texas state agencies and charged with overseeing the pre-closing review and regulation of foreign acquisitions effecting “critical infrastructure” in Texas, agricultural land in Texas, or the sensitive personal data of Texas residents.[5] Subject to a monetary threshold to be determined by the governor, such transactions would require notification to the Texas Attorney General at least 90 days before closing, with penalties for non-compliance of up to $50,000 per violation.
While there is still uncertainty on whether and when Texas may implement the TCFI, companies considering transactions not only in Texas, but in other states rapidly enacting similar laws, should make sure to perform the necessary due diligence to identify and comply with these regulations, and also build in adequate time for closing delays based on mandatory notification periods that may vary by state.
———————————————————
[1] TX HB5007, accessible at: https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=HB5007
[2] Lone Star Infrastructure Protection Act, 87th Leg., R.S., S.B. 2116 (codified as Tex. Bus. & Com. Code § 113.001, et seq.)
[3] LIPA defines critical infrastructure as: 1) communication infrastructure systems; 2) cybersecurity system; 3) electric grid; 4) hazardous waste treatment systems; and 5) water treatment facilities.
[4] https://nationalaglawcenter.org/state-compilations/aglandownership/
[5] “Critical infrastructure” is defined more broadly under HB 5007 than LIPA and includes, among other categories: critical manufacturing, dams, defense industrial bases, emergency services, communications facilities, energy, health care, food, financial services, information technology, transportation systems, nuclear materials, water systems, and government facilities.
FCA Review of Private Fund Market Valuation Practices
Go-To Guide:
The United Kingdom’s Financial Conduct Authority (FCA) is increasing its scrutiny of private fund market valuation practices, highlighting the need for stronger governance, transparency, and conflict-of-interest management across fund managers.
Fund managers are expected to apply consistent valuation methodologies, maintain functional independence in valuation processes, and address gaps in ad hoc valuation procedures.
The FCA has emphasised the importance of engaging third-party valuation advisers and has reminded fund managers of the importance of ensuring the independence of valuers.
Private fund managers should consider conducting gap analyses and strengthening their valuation frameworks to align with the FCA’s expectations.
Background
The FCA has embarked on a level of engagement with the private funds sector not seen since the consultation and engagement exercises surrounding the implementation of the Alternative Investment Fund Managers Directive (AIFMD) in 2013.
On 26 February 2025, the FCA issued a letter to the CEOs of all asset management and alternative firms, setting out its priorities for the year and informing them that it intends to:
engage with the UK fund management industry in a review of the UK’s implementation of the AIFMD, with a view to streamlining certain UK regulatory requirements (i.e. after maintaining a post-Brexit status quo, the FCA is now finally considering how UK private fund managers and their affiliated entities should be regulated); and
launch a review of conflict of interest management within UK fund managers. As part of this, the FCA will assess how firms oversee the application of their conflict of interest frameworks through their governance bodies and evaluate how investor outcomes are protected. (Note that the FCA will likely expect to see actual living processes deployed to prevent conflicts at all levels of a fund’s structure, with the efficiency of those processes tested by UK managers).
Subsequently, on 5 March 2025, the FCA published its findings from its review of private market valuation practices (the “Review’s Findings”).
Context of the FCA Review
The FCA’s review stemmed from its concern that private market assets, unlike public market assets, are not subject to frequent trading or regular price discovery. This necessitates firms to estimate values using judgment-based approaches, which can pose risks of inappropriate valuations due to conflicts of interest or insufficient expertise.
Private fund managers in the UK deploy a variety of different structures:
many of the valuation-related issues are more pronounced for open-ended funds that permit redemptions during the fund’s life, compared to closed-ended funds, where the true value and performance can only be determined at the end of the fund’s life when assets are sold.
funds that invest into a variety of assets, from relatively liquid ones (as is common with many hedge funds) to illiquid assets whose value may evolve as managers improve the asset (e.g. real estate funds and certain private equity funds).
We expect that the FCA will continue to focus on this area and will likely require all compliance teams across UK fund managers – regardless of their fund strategies – to conduct a gap analysis against the Review’s Findings.
The Review’s Findings
The FCA identified examples of good practice in firms’ valuation processes, including:
high-quality reporting to investors;
comprehensive documentation of valuations; and
use of third-party valuation advisers to enhance independence, expertise, and the consistent application of established valuation methodologies.
Overall, the FCA found that firms recognised the importance of robust valuation processes that prioritise independence, expertise, transparency and consistency.
The Review’s Findings, however, also identified areas requiring improvement, particularly in managing conflicts of interest. For example, conflicts can arise between a manager and its investors in the valuation process, such as when fees charged to investors depend on asset valuations. While firms acknowledged conflicts relating to fee structures and remuneration policies, the FCA found that other potential valuation-related conflicts were inadequately recognised or documented. These include:
conflicts in investor marketing, where unrealised performance of existing funds may be used to market new funds;
secured borrowing, where valuations may be inflated to secure higher borrowing levels; and
pricing of redemptions and subscriptions based on a fund’s net asset value.
The FCA expects firms to identify, document, and assess all potential and relevant valuation-related conflicts, determine their materiality, and take actions needed to mitigate or manage them.
The Review’s Findings also highlighted variations in firms’ approaches to independence within valuation processes. The FCA noted that functional independence within valuation functions and voting membership of valuation committees are critical for effective control and expert challenge. Additionally, the FCA found that many firms lacked clearly defined processes or consistent approaches for conducting ad hoc valuations during market or asset-specific events. Given the importance of ad hoc valuations in mitigating the risk of stale valuations, the FCA encouraged firms to consider the types of events and quantitative thresholds that could trigger such valuations and document how they are to be conducted.
The FCA flagged the following key areas for managers to consider reviewing and potentially improving:
the governance of their valuation processes;
the identification, documentation, and management of potential conflicts within valuation processes;
ensuring functional independence for their valuation process; and
incorporating defined processes for ad hoc valuations.
Breakdown of the Review’s Findings
Governance arrangements
The FCA found that while most firms had specific governance arrangements in place for valuations, including valuation committees responsible for making valuation decisions or recommendations, there were instances where committee meeting minutes lacked sufficient detail on how valuation decisions were reached. The FCA emphasised that firms must keep detailed records to enhance confidence in the effectiveness of oversight for valuation decisions.
Conflicts of interest
The FCA expects firms to identify, avoid, manage and, when relevant, disclose conflicts of interest. The Review’s Findings identified specific areas where conflicts are likely to arise, including investor fees, asset transfers, redemptions and subscriptions, investor marketing, secured borrowing, uplifts and volatility and employee remuneration. While the FCA found that conflicts around fees and remuneration were typically identified and mitigated through fee structures and remuneration policies, other potential conflicts were only partially identified and documented. Many managers had not sufficiently considered or documented these conflicts, often relying on generic descriptions.
The FCA expects firms to thoroughly assess whether valuation-related conflicts are relevant and, if so, to properly document them and the actions taken to mitigate or manage them. This may include engaging third-party valuation advisers.
Functional independence and expertise
The FCA reviewed the extent to which firms maintained independent judgment within their valuation processes, by looking at independent functions and the expertise of valuation committee members.
Only a small number of managers clearly demonstrated functional independence by maintaining a dedicated valuation function or an independent control function to lead on valuations. Such functions were responsible for developing valuation models and preparing recommendations for decisions made by valuation committees.
The FCA noted that examples of good practice to ensure independence included establishing a separate function to lead valuations and ensuring sufficient independence within the voting membership of valuation committees to guarantee effective control and expert challenge.
Policies, procedures and documentation
Unsurprisingly, the FCA emphasised that clear, consistent and appropriate policies, procedures and documentation are core components of a robust valuation process. These elements ensure a consistent approach to valuations and enable auditors and investors to verify adherence to the valuation process.
The FCA found that not all firms provided sufficient detail on their rationales for selecting methodologies and their limitations, nor did they include a description of the safeguards in place to ensure the functional independence of valuations or potential conflicts in the process. The FCA also observed examples of vague rationales for key assumption changes, such as adjustments in discount rates.
The FCA stated that it would encourage firms to engage with auditors appropriately, by inviting them to observe valuation committee meetings, raising auditor challenges at those meetings and taking proactive measures of managing conflicts of interest involving the audit service provider. It also stated that back-testing results can help firms inform their approach to valuations, by identifying insights about current market conditions and potential limitations in models, assumptions and inputs and encouraged firms to consider investing in technology to improve consistency and reduce the risk of human error in valuation processes.
Frequency and ad hoc valuations
The FCA noted that infrequent valuation cycles risk stale valuations, which may not accurately reflect the current conditions of investors’ holdings. This can lead to potential harm, such as inappropriate fees or investors redeeming at inappropriate prices.
The FCA emphasised that conducting ad hoc valuations (outside of the regular valuation schedule) can help mitigate the risk of stale valuations if material events cause significant changes in market conditions or how an asset performs.
Most firms, however, were found to lack formal processes for conducting ad hoc valuations. The FCA urged firms to incorporate a defined process for ad hoc valuations, including defining the thresholds and types of events that would trigger an ad hoc valuation (such as movement in the average multiple of the comparable set, company-specific events and fund-level triggers). It found that most firms waited for changes to flow through at the next valuation cycle instead of conducting ad hoc valuations. Only a few firms formally incorporated ad hoc valuations into their valuation processes by having defined types of events that would trigger these. The FCA stated firms should consider incorporating defined ad hoc valuation processes to mitigate the risk of stale valuations.
Transparency to investors
The FCA emphasised that transparency to investors increases confidence in their decision-making around private assets and enables them to make better informed decisions. The FCA urged full-scope UK AIFMs to provide investors with clear information about valuations and their calculations and encouraged all FCA-regulated firms to pay close attention to the information and needs of their clients.
The Review’s Findings highlighted that most firms demonstrated good practice by reporting both quantitative and qualitative information on performance at the fund and asset-levels, as well as holding regular conference calls with investors. Some firms further enhanced their reporting by including a ‘value bridge’ in their investor reports, showing the different components driving changes in asset values or net asset values, helping investors to better understand the factor influencing valuation changes. The FCA noted that some firms faced barriers limiting their ability to share information with investors. These barriers included restrictions arising from non-disclosure agreements and concerns about the commercial sensitivity of sharing valuation models.
The FCA urged firms to consider whether they can improve investor reporting and engagement by providing detail on fund-level and asset-level performance to increase transparency and investor confidence in the valuation process.
Application of valuation methodologies
The FCA stressed that valuation methodologies must be applied consistently for valuations to be appropriate and fair. In its review, the FCA observed that while firms applied valuation methodologies generally consistently by asset class, there were instances where firms employed different approaches, such as comparable sets and discount rate components for private equity assets. While firms could reasonably justify the use of different assumptions, the FCA expressed concerns that these variations might impair investors’ ability to compare valuations across firms. Firms demonstrating good practice were those that employed another established methodology as a sense check to validate their primary valuation and confirm their judgment.
The FCA expects firms to apply valuation methodologies and assumptions consistently, making valuation adjustments solely based on fair value. It also emphasized the need for valuation committees and independent functions to focus on these adjustments to ensure decisions are robust and well-documented.
Use of third-party valuation advisers
The FCA noted that it is good practice to seek further validation for internal valuations through third-party valuation advisors, particularly after identifying material conflicts of interest, such as calculating fees, pricing redemptions and subscriptions, transferring asset using valuations.
The FCA found that most managers engaged third-party valuation advisers and discussed their controls to assess the quality of service and independence provided by these advisers. Examples of good practice included conducting an annual exercise whereby the firm used a valuation from an alternative provider for the same asset and compared the quality of valuations from both providers.
Firms that adopted good practices had considered the limitations of the service provided, taken steps to ensure the independence of the third-party valuation advisers, and retained responsibility for valuation decisions.
The FCA urged firms to consider the strengths and limitations of the service provided and to disclose the nature of these services to investors, including the portfolio coverage and frequency of valuations. Additionally, firms need to be aware of potential conflicts of interest when using third-party valuation advisers and should ensure that investment professionals are kept at arm’s length to maintain the independence of third-party valuations.
Next Steps
The FCA indicated that the Review’s Findings will inform its review of the AIFMD and will be taken into consideration when updates are made to the FCA’s Handbook rules. Furthermore, the FCA indicated that the Review’s Findings will inform its contribution to the International Organization of Securities Commission’s review of global valuation standards to support the use of proportionate and consistent valuation standards globally in private markets.
In the meantime, the FCA has said that managers should assess the Review’s Findings and address any gaps in their valuation processes to ensure they are robust and are supported by a strong governance framework with a clear audit trail. Boards and valuation committees should also be provided with regular and sufficient information on valuations to ensure effective oversight.
In light of the above, fund managers and other regulated firms in the UK performing key functions related to funds should:
consider reviewing the FCA’s findings and identify any gaps in their valuation approach, taking action to address deficiencies where applicable;
ensure their governance arrangements provide accountability for valuation processes;
assess whether their valuation committees have sufficient independence and expertise to make valuation decisions; and
enhance oversight of third-party valuation advisers and consider the strengths and limitations of service providers.
Massachusetts Court Denies Certification of Privacy Class Action for Failure to Meet Ascertainability Requirement
On February 14, 2025, in Therrien v. Hearst Television, Inc., the District of Massachusetts denied a motion for class certification due to the plaintiff’s failure to meet the implied ascertainability requirement of Rule 23. The court concluded that the named plaintiff’s claims for unlawful disclosure of personally identifiable information could not be maintained on a class-wide basis because the proposed method for identifying proposed class members was “administratively infeasible” and raised due process concerns.
Therrien’s Video Privacy Protection Act Claim Based on Geolocation Data
Charles Therrien brought this case on his own behalf and other similarly situated individuals against Hearst Television, Inc. (“HTV”) for allegedly unlawfully disclosing his personally identifiable information to third parties in violation of the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. The VPPA prohibits a videotape service provider from knowingly disclosing personally identifiable information concerning any of its consumers.
HTV is a news and weather broadcaster that offers mobile phone apps on which users can read articles and watch associated videos. The apps collect users’ geolocation data. To send push and email updates, HTV utilizes Braze, a third-party software-as-a-service-provider. Although users have the option to enable or disable sharing geolocation data, when it is enabled, users’ geolocation data is shared with Braze.
In addition, HTV also uses Google Ad Manager to send targeted advertisements to its apps’ users. Like Braze, if a user has enabled geolocation services, the geolocation data is shared with Google.
Thus, Therrien claimed that, because his geolocation data was shared with third parties, HTV violated the VPPA.
Therrien’s Proposed Class Definition of Mobile App Users
Therrien sought certification for this class action claim, for which he was required to establish the four threshold requirements of Rule 23(a) — numerosity, commonality, typicality, and adequacy — as well as the two additional prerequisites of Rule 23(b)(3) – predominance and superiority.
Although not one of the four threshold requirements of Rule 23(a), ascertainability is an implicit requirement that a plaintiff also must meet for class certification. Ascertainability requires that the class is “currently and readily identifiable based on objective criteria.” Additionally, the plaintiff’s proposed mechanism for determining class members must be both administratively feasible and protective of the defendant’s Seventh Amendment and due process rights.
To assess whether Therrien met the Rule 23 requirements, the court scrutinized the proposed class definition. In the present case, Therrien’s proposed class was defined as, “All persons in the United States that (i) downloaded one of the Class Apps onto their mobile phone, (ii) enabled location permissions for the Class App for at least 250 sessions over a period of at least one month, and (iii) watched at least ten (10) videos between May 5, 2021, and April 16, 2024 (the “Class Period”).”
Courts considering class definitions will often assess the way the definition has been drafted, but in this case, the court’s analysis did not turn on the drafting of the definition but on the validity of Therrien’s proposed mechanism for identifying class members.
Court’s Critique of Therrien’s Proposed Methodology and Denial of Certification
For purposes of identifying class members, Therrien aimed to rely on an expert witness’s methodology using geolocation data. This method would involve analyzing geolocation data points to generate names of mobile app users, followed by testimony from each user confirming that the information obtained belongs to them and is accurate.
The court highlighted that this method would be administratively infeasible and could potentially violate HTV’s due process rights, running afoul of In re Nexium Antitrust Litig. Expanding upon the infeasibility of this method, the court noted that, for addresses where there are multiunit apartment buildings with hundreds of occupants, geolocation points could not be used to identify specific unit numbers, and therefore specific users, of the HTV apps.
Thus, the generated user data could not be used to differentiate putative class members from other users, making it nearly impossible to provide notice of a pending class action. Applying the reasoning from In re Asacol Anitrust Litig., the court noted that the proposed process would likely result in thousands of class members waiting to provide testimony on individual issues, which would predominate over common ones.
Moreover, the court explained that, although affidavits may be sufficient for differentiating between individuals who were injured and who were not injured, testimony used as part of a party’s affirmative case cannot be used to certify a class, “without providing the defendant an opportunity to litigate its defenses.” Because the determination of whether HTV shared personally identifiable information with Braze and Google is an essential element of the VPPA claim, this information could not be used for the purpose of fulfilling the ascertainability requirement.
Based on the foregoing administrative hurdles and due process considerations, the court denied the motion for class certification.
The court’s analysis highlights the importance of a sound mechanism for identifying class members and the potency of an ascertainability challenge if defense counsel can effectively illustrate practical challenges for the court.
More than anything, this case makes clear that it would be imprudent for litigants to treat ascertainability as an afterthought in their Rule 23(a) analysis because, as the holding of this court illustrates, failing to meet ascertainability is fatal for class certification within the First Circuit.
Finally, the decision in Hearst Television highlights that venue can be outcome determinative in class action litigation, where there is a persistent circuit court split on whether a class representative must prove an administratively feasible method of identifying absent class members as a precondition for class certification under Rule 23, with the First Circuit aligned with the Third and Fourth Circuits and the Second, Sixth, Seventh, Eighth, Ninth, and Eleventh Circuits following a more permissive standard.
Until the Supreme Court speaks on this division that is ripe for review, litigants should continue to address ascertainability as a critical issue at the certification stage.