Mexico’s New Personal Data Protection Law: Considerations for Businesses
On March 20, 2025, Mexico’s new Federal Law on the Protection of Personal Data held by Private Parties (FLPPDPP) published in the Official Gazette of the Federation. Effective March 21, the new law replaces the FLPPDPP published in July 2010.
Among the key changes the decree and new FLPPDPP introduce is the dissolution of the National Institute of Transparency, Access to Information, and Protection of Personal Data (INAI). Before the decree’s publication, INAI served as an autonomous regulatory and oversight authority for matters related to transparency, information access, and personal data protection. As of March 21, 2025, these responsibilities will be transferred to the Ministry of Anticorruption and Good Governance (Ministry), a governmental body reporting directly to the executive branch. The Ministry will now supervise, oversee, and regulate personal data protection matters.
Related to personal data protection, companies may wish to consider the following points when preparing to comply with the new FLPPDPP:
The definition of “personal data” is amended to remove the previous limitation to natural persons, expanding the scope to any identifiable individual—when their identity can be determined directly or indirectly through any information.
The law now requires that the data subject give consent “freely, specifically, and in an informed manner.”
Public access sources are now limited to those the law explicitly authorizes for consultation, provided no restrictions apply, and are only subject to the payment of the applicable consultation fee.
The scope of personal data processing expands to encompass “any operation or set of operations performed through manual or automated procedures applied to personal data, including collection, use, registration, organization, preservation, processing, communication, dissemination, storage, possession, access, handling, disclosure, transfer, or disposal of personal data.”
As a general rule, the data subject’s tacit consent is deemed sufficient for data processing, unless the law expressly requires obtaining prior explicit consent.
Regarding the privacy notice, the new FLPPDPP requires data controllers to specify the purposes of processing that require the data subject’s consent. Additionally, the express obligation to disclose data transfers the controller carries out is eliminated.
Resolutions the Ministry issues may be challenged through amparo proceedings before specialized judges and courts.
Takeaways
1.
Although this amendment does not introduce substantial changes with respect to the obligations of those responsible for processing personal data, companies should review their privacy notice and, if necessary, adjust it to the provisions of the FLPPDPP including, where appropriate, replacing references to the INAI.
2.
If any data protection proceedings were initiated before the INAI while the previous law was in effect, the provisions of the prior law will continue to govern such proceedings, with the exception that the Ministry will now handle them.
3.
The executive branch will have 90 days to issue the necessary amendments to the new FLPPDPP regulations. Companies should monitor for the amendments’ publication to identify changes that may impact their compliance obligations under the new law.
Read in Spanish/Leer en español.
Will Texas Become the First State to Enact a “Mini-CFIUS” Review Process?
On March 13, 2025, the Texas Legislature introduced HB 5007, which, if enacted, could establish the first US state regime tasked with screening foreign investments on national security grounds.[1]
To be sure, this is not the first attempt by Texas to regulate acquisitions by foreign buyers within the state. The Lone Star Infrastructure Protection Act[2] (LIPA), which took effect in June 2021, prohibits Texas businesses from contracting with entities owned or controlled by individuals from China, Russia, North Korea and Iran if the contracting relates to critical infrastructure.[3] In addition, many other states have passed legislation limiting certain foreign investments into agricultural land within their borders.[4] Others are debating similar legislation.
HB 5007 is wholly different. It calls for the formation of a Texas Committee on Foreign Investment (TCFI). Modeled on the federal government’s interagency Committee on Foreign Investment in the United States or CFIUS, TCFI would be comprised of representatives from various Texas state agencies and charged with overseeing the pre-closing review and regulation of foreign acquisitions effecting “critical infrastructure” in Texas, agricultural land in Texas, or the sensitive personal data of Texas residents.[5] Subject to a monetary threshold to be determined by the governor, such transactions would require notification to the Texas Attorney General at least 90 days before closing, with penalties for non-compliance of up to $50,000 per violation.
While there is still uncertainty on whether and when Texas may implement the TCFI, companies considering transactions not only in Texas, but in other states rapidly enacting similar laws, should make sure to perform the necessary due diligence to identify and comply with these regulations, and also build in adequate time for closing delays based on mandatory notification periods that may vary by state.
———————————————————
[1] TX HB5007, accessible at: https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=HB5007
[2] Lone Star Infrastructure Protection Act, 87th Leg., R.S., S.B. 2116 (codified as Tex. Bus. & Com. Code § 113.001, et seq.)
[3] LIPA defines critical infrastructure as: 1) communication infrastructure systems; 2) cybersecurity system; 3) electric grid; 4) hazardous waste treatment systems; and 5) water treatment facilities.
[4] https://nationalaglawcenter.org/state-compilations/aglandownership/
[5] “Critical infrastructure” is defined more broadly under HB 5007 than LIPA and includes, among other categories: critical manufacturing, dams, defense industrial bases, emergency services, communications facilities, energy, health care, food, financial services, information technology, transportation systems, nuclear materials, water systems, and government facilities.
FCA Review of Private Fund Market Valuation Practices
Go-To Guide:
The United Kingdom’s Financial Conduct Authority (FCA) is increasing its scrutiny of private fund market valuation practices, highlighting the need for stronger governance, transparency, and conflict-of-interest management across fund managers.
Fund managers are expected to apply consistent valuation methodologies, maintain functional independence in valuation processes, and address gaps in ad hoc valuation procedures.
The FCA has emphasised the importance of engaging third-party valuation advisers and has reminded fund managers of the importance of ensuring the independence of valuers.
Private fund managers should consider conducting gap analyses and strengthening their valuation frameworks to align with the FCA’s expectations.
Background
The FCA has embarked on a level of engagement with the private funds sector not seen since the consultation and engagement exercises surrounding the implementation of the Alternative Investment Fund Managers Directive (AIFMD) in 2013.
On 26 February 2025, the FCA issued a letter to the CEOs of all asset management and alternative firms, setting out its priorities for the year and informing them that it intends to:
engage with the UK fund management industry in a review of the UK’s implementation of the AIFMD, with a view to streamlining certain UK regulatory requirements (i.e. after maintaining a post-Brexit status quo, the FCA is now finally considering how UK private fund managers and their affiliated entities should be regulated); and
launch a review of conflict of interest management within UK fund managers. As part of this, the FCA will assess how firms oversee the application of their conflict of interest frameworks through their governance bodies and evaluate how investor outcomes are protected. (Note that the FCA will likely expect to see actual living processes deployed to prevent conflicts at all levels of a fund’s structure, with the efficiency of those processes tested by UK managers).
Subsequently, on 5 March 2025, the FCA published its findings from its review of private market valuation practices (the “Review’s Findings”).
Context of the FCA Review
The FCA’s review stemmed from its concern that private market assets, unlike public market assets, are not subject to frequent trading or regular price discovery. This necessitates firms to estimate values using judgment-based approaches, which can pose risks of inappropriate valuations due to conflicts of interest or insufficient expertise.
Private fund managers in the UK deploy a variety of different structures:
many of the valuation-related issues are more pronounced for open-ended funds that permit redemptions during the fund’s life, compared to closed-ended funds, where the true value and performance can only be determined at the end of the fund’s life when assets are sold.
funds that invest into a variety of assets, from relatively liquid ones (as is common with many hedge funds) to illiquid assets whose value may evolve as managers improve the asset (e.g. real estate funds and certain private equity funds).
We expect that the FCA will continue to focus on this area and will likely require all compliance teams across UK fund managers – regardless of their fund strategies – to conduct a gap analysis against the Review’s Findings.
The Review’s Findings
The FCA identified examples of good practice in firms’ valuation processes, including:
high-quality reporting to investors;
comprehensive documentation of valuations; and
use of third-party valuation advisers to enhance independence, expertise, and the consistent application of established valuation methodologies.
Overall, the FCA found that firms recognised the importance of robust valuation processes that prioritise independence, expertise, transparency and consistency.
The Review’s Findings, however, also identified areas requiring improvement, particularly in managing conflicts of interest. For example, conflicts can arise between a manager and its investors in the valuation process, such as when fees charged to investors depend on asset valuations. While firms acknowledged conflicts relating to fee structures and remuneration policies, the FCA found that other potential valuation-related conflicts were inadequately recognised or documented. These include:
conflicts in investor marketing, where unrealised performance of existing funds may be used to market new funds;
secured borrowing, where valuations may be inflated to secure higher borrowing levels; and
pricing of redemptions and subscriptions based on a fund’s net asset value.
The FCA expects firms to identify, document, and assess all potential and relevant valuation-related conflicts, determine their materiality, and take actions needed to mitigate or manage them.
The Review’s Findings also highlighted variations in firms’ approaches to independence within valuation processes. The FCA noted that functional independence within valuation functions and voting membership of valuation committees are critical for effective control and expert challenge. Additionally, the FCA found that many firms lacked clearly defined processes or consistent approaches for conducting ad hoc valuations during market or asset-specific events. Given the importance of ad hoc valuations in mitigating the risk of stale valuations, the FCA encouraged firms to consider the types of events and quantitative thresholds that could trigger such valuations and document how they are to be conducted.
The FCA flagged the following key areas for managers to consider reviewing and potentially improving:
the governance of their valuation processes;
the identification, documentation, and management of potential conflicts within valuation processes;
ensuring functional independence for their valuation process; and
incorporating defined processes for ad hoc valuations.
Breakdown of the Review’s Findings
Governance arrangements
The FCA found that while most firms had specific governance arrangements in place for valuations, including valuation committees responsible for making valuation decisions or recommendations, there were instances where committee meeting minutes lacked sufficient detail on how valuation decisions were reached. The FCA emphasised that firms must keep detailed records to enhance confidence in the effectiveness of oversight for valuation decisions.
Conflicts of interest
The FCA expects firms to identify, avoid, manage and, when relevant, disclose conflicts of interest. The Review’s Findings identified specific areas where conflicts are likely to arise, including investor fees, asset transfers, redemptions and subscriptions, investor marketing, secured borrowing, uplifts and volatility and employee remuneration. While the FCA found that conflicts around fees and remuneration were typically identified and mitigated through fee structures and remuneration policies, other potential conflicts were only partially identified and documented. Many managers had not sufficiently considered or documented these conflicts, often relying on generic descriptions.
The FCA expects firms to thoroughly assess whether valuation-related conflicts are relevant and, if so, to properly document them and the actions taken to mitigate or manage them. This may include engaging third-party valuation advisers.
Functional independence and expertise
The FCA reviewed the extent to which firms maintained independent judgment within their valuation processes, by looking at independent functions and the expertise of valuation committee members.
Only a small number of managers clearly demonstrated functional independence by maintaining a dedicated valuation function or an independent control function to lead on valuations. Such functions were responsible for developing valuation models and preparing recommendations for decisions made by valuation committees.
The FCA noted that examples of good practice to ensure independence included establishing a separate function to lead valuations and ensuring sufficient independence within the voting membership of valuation committees to guarantee effective control and expert challenge.
Policies, procedures and documentation
Unsurprisingly, the FCA emphasised that clear, consistent and appropriate policies, procedures and documentation are core components of a robust valuation process. These elements ensure a consistent approach to valuations and enable auditors and investors to verify adherence to the valuation process.
The FCA found that not all firms provided sufficient detail on their rationales for selecting methodologies and their limitations, nor did they include a description of the safeguards in place to ensure the functional independence of valuations or potential conflicts in the process. The FCA also observed examples of vague rationales for key assumption changes, such as adjustments in discount rates.
The FCA stated that it would encourage firms to engage with auditors appropriately, by inviting them to observe valuation committee meetings, raising auditor challenges at those meetings and taking proactive measures of managing conflicts of interest involving the audit service provider. It also stated that back-testing results can help firms inform their approach to valuations, by identifying insights about current market conditions and potential limitations in models, assumptions and inputs and encouraged firms to consider investing in technology to improve consistency and reduce the risk of human error in valuation processes.
Frequency and ad hoc valuations
The FCA noted that infrequent valuation cycles risk stale valuations, which may not accurately reflect the current conditions of investors’ holdings. This can lead to potential harm, such as inappropriate fees or investors redeeming at inappropriate prices.
The FCA emphasised that conducting ad hoc valuations (outside of the regular valuation schedule) can help mitigate the risk of stale valuations if material events cause significant changes in market conditions or how an asset performs.
Most firms, however, were found to lack formal processes for conducting ad hoc valuations. The FCA urged firms to incorporate a defined process for ad hoc valuations, including defining the thresholds and types of events that would trigger an ad hoc valuation (such as movement in the average multiple of the comparable set, company-specific events and fund-level triggers). It found that most firms waited for changes to flow through at the next valuation cycle instead of conducting ad hoc valuations. Only a few firms formally incorporated ad hoc valuations into their valuation processes by having defined types of events that would trigger these. The FCA stated firms should consider incorporating defined ad hoc valuation processes to mitigate the risk of stale valuations.
Transparency to investors
The FCA emphasised that transparency to investors increases confidence in their decision-making around private assets and enables them to make better informed decisions. The FCA urged full-scope UK AIFMs to provide investors with clear information about valuations and their calculations and encouraged all FCA-regulated firms to pay close attention to the information and needs of their clients.
The Review’s Findings highlighted that most firms demonstrated good practice by reporting both quantitative and qualitative information on performance at the fund and asset-levels, as well as holding regular conference calls with investors. Some firms further enhanced their reporting by including a ‘value bridge’ in their investor reports, showing the different components driving changes in asset values or net asset values, helping investors to better understand the factor influencing valuation changes. The FCA noted that some firms faced barriers limiting their ability to share information with investors. These barriers included restrictions arising from non-disclosure agreements and concerns about the commercial sensitivity of sharing valuation models.
The FCA urged firms to consider whether they can improve investor reporting and engagement by providing detail on fund-level and asset-level performance to increase transparency and investor confidence in the valuation process.
Application of valuation methodologies
The FCA stressed that valuation methodologies must be applied consistently for valuations to be appropriate and fair. In its review, the FCA observed that while firms applied valuation methodologies generally consistently by asset class, there were instances where firms employed different approaches, such as comparable sets and discount rate components for private equity assets. While firms could reasonably justify the use of different assumptions, the FCA expressed concerns that these variations might impair investors’ ability to compare valuations across firms. Firms demonstrating good practice were those that employed another established methodology as a sense check to validate their primary valuation and confirm their judgment.
The FCA expects firms to apply valuation methodologies and assumptions consistently, making valuation adjustments solely based on fair value. It also emphasized the need for valuation committees and independent functions to focus on these adjustments to ensure decisions are robust and well-documented.
Use of third-party valuation advisers
The FCA noted that it is good practice to seek further validation for internal valuations through third-party valuation advisors, particularly after identifying material conflicts of interest, such as calculating fees, pricing redemptions and subscriptions, transferring asset using valuations.
The FCA found that most managers engaged third-party valuation advisers and discussed their controls to assess the quality of service and independence provided by these advisers. Examples of good practice included conducting an annual exercise whereby the firm used a valuation from an alternative provider for the same asset and compared the quality of valuations from both providers.
Firms that adopted good practices had considered the limitations of the service provided, taken steps to ensure the independence of the third-party valuation advisers, and retained responsibility for valuation decisions.
The FCA urged firms to consider the strengths and limitations of the service provided and to disclose the nature of these services to investors, including the portfolio coverage and frequency of valuations. Additionally, firms need to be aware of potential conflicts of interest when using third-party valuation advisers and should ensure that investment professionals are kept at arm’s length to maintain the independence of third-party valuations.
Next Steps
The FCA indicated that the Review’s Findings will inform its review of the AIFMD and will be taken into consideration when updates are made to the FCA’s Handbook rules. Furthermore, the FCA indicated that the Review’s Findings will inform its contribution to the International Organization of Securities Commission’s review of global valuation standards to support the use of proportionate and consistent valuation standards globally in private markets.
In the meantime, the FCA has said that managers should assess the Review’s Findings and address any gaps in their valuation processes to ensure they are robust and are supported by a strong governance framework with a clear audit trail. Boards and valuation committees should also be provided with regular and sufficient information on valuations to ensure effective oversight.
In light of the above, fund managers and other regulated firms in the UK performing key functions related to funds should:
consider reviewing the FCA’s findings and identify any gaps in their valuation approach, taking action to address deficiencies where applicable;
ensure their governance arrangements provide accountability for valuation processes;
assess whether their valuation committees have sufficient independence and expertise to make valuation decisions; and
enhance oversight of third-party valuation advisers and consider the strengths and limitations of service providers.
Massachusetts Court Denies Certification of Privacy Class Action for Failure to Meet Ascertainability Requirement
On February 14, 2025, in Therrien v. Hearst Television, Inc., the District of Massachusetts denied a motion for class certification due to the plaintiff’s failure to meet the implied ascertainability requirement of Rule 23. The court concluded that the named plaintiff’s claims for unlawful disclosure of personally identifiable information could not be maintained on a class-wide basis because the proposed method for identifying proposed class members was “administratively infeasible” and raised due process concerns.
Therrien’s Video Privacy Protection Act Claim Based on Geolocation Data
Charles Therrien brought this case on his own behalf and other similarly situated individuals against Hearst Television, Inc. (“HTV”) for allegedly unlawfully disclosing his personally identifiable information to third parties in violation of the Video Privacy Protection Act (VPPA), 18 U.S.C. § 2710. The VPPA prohibits a videotape service provider from knowingly disclosing personally identifiable information concerning any of its consumers.
HTV is a news and weather broadcaster that offers mobile phone apps on which users can read articles and watch associated videos. The apps collect users’ geolocation data. To send push and email updates, HTV utilizes Braze, a third-party software-as-a-service-provider. Although users have the option to enable or disable sharing geolocation data, when it is enabled, users’ geolocation data is shared with Braze.
In addition, HTV also uses Google Ad Manager to send targeted advertisements to its apps’ users. Like Braze, if a user has enabled geolocation services, the geolocation data is shared with Google.
Thus, Therrien claimed that, because his geolocation data was shared with third parties, HTV violated the VPPA.
Therrien’s Proposed Class Definition of Mobile App Users
Therrien sought certification for this class action claim, for which he was required to establish the four threshold requirements of Rule 23(a) — numerosity, commonality, typicality, and adequacy — as well as the two additional prerequisites of Rule 23(b)(3) – predominance and superiority.
Although not one of the four threshold requirements of Rule 23(a), ascertainability is an implicit requirement that a plaintiff also must meet for class certification. Ascertainability requires that the class is “currently and readily identifiable based on objective criteria.” Additionally, the plaintiff’s proposed mechanism for determining class members must be both administratively feasible and protective of the defendant’s Seventh Amendment and due process rights.
To assess whether Therrien met the Rule 23 requirements, the court scrutinized the proposed class definition. In the present case, Therrien’s proposed class was defined as, “All persons in the United States that (i) downloaded one of the Class Apps onto their mobile phone, (ii) enabled location permissions for the Class App for at least 250 sessions over a period of at least one month, and (iii) watched at least ten (10) videos between May 5, 2021, and April 16, 2024 (the “Class Period”).”
Courts considering class definitions will often assess the way the definition has been drafted, but in this case, the court’s analysis did not turn on the drafting of the definition but on the validity of Therrien’s proposed mechanism for identifying class members.
Court’s Critique of Therrien’s Proposed Methodology and Denial of Certification
For purposes of identifying class members, Therrien aimed to rely on an expert witness’s methodology using geolocation data. This method would involve analyzing geolocation data points to generate names of mobile app users, followed by testimony from each user confirming that the information obtained belongs to them and is accurate.
The court highlighted that this method would be administratively infeasible and could potentially violate HTV’s due process rights, running afoul of In re Nexium Antitrust Litig. Expanding upon the infeasibility of this method, the court noted that, for addresses where there are multiunit apartment buildings with hundreds of occupants, geolocation points could not be used to identify specific unit numbers, and therefore specific users, of the HTV apps.
Thus, the generated user data could not be used to differentiate putative class members from other users, making it nearly impossible to provide notice of a pending class action. Applying the reasoning from In re Asacol Anitrust Litig., the court noted that the proposed process would likely result in thousands of class members waiting to provide testimony on individual issues, which would predominate over common ones.
Moreover, the court explained that, although affidavits may be sufficient for differentiating between individuals who were injured and who were not injured, testimony used as part of a party’s affirmative case cannot be used to certify a class, “without providing the defendant an opportunity to litigate its defenses.” Because the determination of whether HTV shared personally identifiable information with Braze and Google is an essential element of the VPPA claim, this information could not be used for the purpose of fulfilling the ascertainability requirement.
Based on the foregoing administrative hurdles and due process considerations, the court denied the motion for class certification.
The court’s analysis highlights the importance of a sound mechanism for identifying class members and the potency of an ascertainability challenge if defense counsel can effectively illustrate practical challenges for the court.
More than anything, this case makes clear that it would be imprudent for litigants to treat ascertainability as an afterthought in their Rule 23(a) analysis because, as the holding of this court illustrates, failing to meet ascertainability is fatal for class certification within the First Circuit.
Finally, the decision in Hearst Television highlights that venue can be outcome determinative in class action litigation, where there is a persistent circuit court split on whether a class representative must prove an administratively feasible method of identifying absent class members as a precondition for class certification under Rule 23, with the First Circuit aligned with the Third and Fourth Circuits and the Second, Sixth, Seventh, Eighth, Ninth, and Eleventh Circuits following a more permissive standard.
Until the Supreme Court speaks on this division that is ripe for review, litigants should continue to address ascertainability as a critical issue at the certification stage.
IMC ORDERED TO REPLY TO NATIONAL CONSUMER’S LEAGUE: Eleventh Circuit Appears to Be Proceeding with Caution in Challenge to FCC One-to-One Ruling
Day by day it seems the odds of the one-to-one rule being brought back from the dead steadily increase– even if the ruling is still VERY much dead for the time being.
With the additional scrutiny afforded by 28 AGs suddenly joining with the NCLC to “close the lead generation loophole” the pressure on the court is ramping up.
In the latest development, just minutes ago the court directed IMC to respond to an effort by several additional parties– including the NCL–to join the case.
IMC already responded to an effort by NCLC–that extra C matters!–but now they have to respond regarding the new parties as well.
The order reads:
Respondents are hereby DIRECTED to respond to the motion to intervene filed by the National Consumers League, Mark Schwanbeck, Micah Mobley, Christopher K. McNally, and Chuck Osborne. The response is due on Friday, April 4, 2025.
The order was entered by the clerk of the court “by direction”–meaning the judges wanted to hear more.
Very interesting.
We’ll keep an eye on it.
HOTLY LITIGATED: Pennsylvania Court Finds Plaintiff Implicitly Consented to Third-Party Tracking Software
A recent ruling in Popa v. Harriet Carter Gifts, Inc. (W.D. Pa. March 24, 2025) has reaffirmed the role of privacy policies in establishing user consent for online tracking. After being remanded by the Third Circuit, the Pennsylvania District Court considered a motion for summary judgement focused solely on the issue of whether the plaintiff consented to alleged interception of her data under Pennsylvania’s Wiretap Act. Applying the reasonable person standard, the Court ruled that Popa had constructive notice of the website’s privacy policy – contained in a browsewrap agreement – and therefore consented to the use of tracking software.
The Allegations
Plaintiff Ashley Popa brought a class action against Harriet Carter Gifts, Inc. and NaviStone, Inc. alleging that they violated the Pennsylvania Wiretapping and Electronic Surveillance Control Act of 1978 (“WESCA”) by unlawfully intercepting her data while she shopped on Harriet Carter’s website (the “Website”).
WESCA prohibits the interception of electronic communications without the prior consent of all parties to the communication.
The Privacy Policy
The Website had a privacy policy hyperlinked in its footer, which both parties and their experts agreed was a common practice for commercial websites. Interestingly, the parties also agreed that in 2018, it would have been a “reasonable conclusion” for a company to believe that it ought to present the privacy policy in this manner. The hyperlink was labelled “Privacy Statement” and was in white font against a blue background.
Harriet Carter’s privacy policy broadly addressed its data collection and use practices: it stated that Harriet Carter collected customer information (without addressing what information) and explained that cookies were used to keep track of shopping carts and deliver targeted content.
In a separate section titled “Who Else Has Access to the Information I provide to Harriet Carter.com?” the policy also addressed third party access to customer information through use of a cookie or pixel tag – which Harriet Carter deemed “industry standard technology”. The policy noted that no personally identifiable information would be collected through this process, but third parties may pool the information from Harriet Carter’s website with other sources of information that could include the customer’s name and mailing address.
Popa testified that she had never reviewed Harriet Carter’s privacy policy.
The Motions
In 2020, the Defendants filed a motion for summary judgement which was granted by the District Court. The Court held that there was no interception under WESCA because NaviStone, which operated the program that caused the alleged interception, was a direct party to the communications and because the alleged interception occurred outside Pennsylvania and was therefore outside the scope of WESCA. Following an appeal by Popa, the Third Circuit Court of Appeals reversed, holding that there is no sweeping direct-party exception under WESCA and that there was a genuine issue of material fact as to where the interception occurred.
The Third Circuit also noted that the issue of whether Harriet Carter posted a privacy policy and the sufficiency of the privacy policy was not addressed by the District Court and remanded this issue to the Court.
On remand, Defendants filed a second motion for summary judgement, focusing solely on the issue of consent and contending that Popa was on constructive notice of Harriet Carter’s privacy policy and therefore consented to the communications being recorded as described therein.
The Court’s Analysis
In its analysis, the Court noted the objective standard to interpret the consent provisions of WESCA – whether a reasonably prudent person can be deemed to have consented under the circumstances. The Court looked to the decision in Commonwealth v. Byrd, where the Pennsylvania Supreme Court held that actual knowledge that communications may be recorded is not required to satisfy the consent requirement under WESCA.
Notably, the Court took into consideration the ubiquitous use of tracking technologies on the internet and stated that, “when determining whether a reasonable person can be deemed to consent to an interception under WESCA, it must be mindful of the reality of internet communication.” Therefore, it held that while the nature of the internet does not confer blanket implied consent to interception under WESCA, “a reasonably prudent person has a lower expectation of privacy on the internet” than on other technologies (like telephones) which do not use cookies, algorithms, and trackers.
“[A] reasonably prudent person has a lower expectation of privacy on the internet“
Next, the Court considered the scope of Harriet Carter’s privacy policy, looking specifically at whether a reasonable person could have been alerted that third parties, like NaviStone, may access information about consumers’ activities on the Website. The Court answered affirmatively – the privacy policy made clear that the Website used tracking cookies, and that Harriet Carter may share information about users’ activities with third parties. The Court also rejected Popa’s argument that privacy policy was insufficient because it did not contain details about the identity of the third parties or the specific type of cookies used, holding that such “granular details” were immaterial because WESCA focuses on the event of interception rather than the specific means of thereof.
Lastly, the Court considered whether Popa consented to NaviStone’s tracking on the Website. The central question here was not whether Popa had actual knowledge of the alleged interceptions (the record established that Popa never reviewed the privacy policy), but rather, whether a reasonable person in her position could have known of the disclosures in the privacy policy. The Court acknowledged that privacy policy on the Website was in the form of a “browsewrap agreement”, which does not require a user to click or take any affirmative action to consent to its terms. While such agreements are routinely enforced when a user has actual notice, in the absence of actual knowledge the court must look to the visibility and accessibility of the browsewrap agreement to determine whether it placed a user on inquiry notice of its terms.
The Court held that the privacy policy on Harriet Carter’s website was reasonably conspicuous based on the appearance and layout of the Website: it was labelled “Privacy Statement”, located at the center and bottom of each page, the hyperlink was in white font contrasting against a blue background, and a link to the policy could also be found in a drop-down menu on the left side of the website. These factors led the Court to find that a reasonable person in Popa’s position had constructive notice of the terms in the privacy policy, and that Popa constructively consented to the interception described in the policy. Therefore, there was no violation of WESCA.
Popa’ s contention that the presence of NaviStone’s program meant that merely visiting Harriet Carter’s website would give rise to an interception before a reasonable user had a chance to view the privacy policy was rejected. The Court analogized to someone hanging up a phone call after hearing a disclosure that the call was being recorded – there would be no interception under WESCA because WESCA only applies to “contents” of communications. Similarly, to the extent that Popa was concerned about privacy, she could have immediately reviewed the privacy policy and, if concerned, left the page, and this would not lead to the interception of “content” under WESCA.
Takeaways
Though based on a state statute, this ruling signifies a shift in the hotly litigated arena of website tracking software.
For businesses, Popa may offer some respite – while explicit clickwrap agreements remain the gold standard, this case suggests that browsewrap agreements may still hold up in court if they are reasonably conspicuous and sufficiently disclose the use of third party tracking software. As digital privacy law continues to evolve, courts are likely to place greater emphasis on reasonable user expectations, meaning online users may need to be more proactive in understanding how their data is being collected.
Perhaps most interestingly, the Pennsylvania District Court’s willingness to acknowledge the widespread (maybe even indispensable) use of cookies and trackers demonstrates a growing understanding of the “reality of internet communication”. It will be interesting to see whether a similar approach is adopted by courts states such as California, with its particularly stringent privacy laws.
HUMANA IN TROUBLE?: Company Seems to be On The Ropes in TCPA Class Action After Court Refuses to Strike Plaintiff’s Expert
So Anya Verkhovskaya is a nice enough lady.
I deposed her not long ago in connection with a case in which we just defeated certification literally yesterday.
But Humana is seemingly not going to be so lucky–although it is too early to tell.
In Elliot v. Humana, 2025 WL 897543 (W.D. Ky March 24, 2025) Humana moved to disqualify Anya arguing her methodology for identifying class members was not sound.
Her methodology boiled down to the following per the court’s ruling:
(1) Taking a list of phone numbers—identified by Humana’s own records—that received prerecorded calls from Humana but had told Humana that it had the wrong number;
(2) Confirming whether each number is assigned to a cellular telephone using third-party data processors to identify the names of all users associated with those phone numbers;
(3) Employing a historical reverse lookup process to retrieve related data associated with those users/phone numbers;
(4) Obtaining telephone carrier data to filter subscriber information (such as names, addresses, email addresses, subscription dates, and other plan-related information);
(5) Cross-referencing reverse lookup data against bulk telephone carrier data, obtained by carrier subpoena, to identify discrepancies; and
(6) Implementing a notice campaign using mail and email address information.
Ok.
Pretty low impact stuff. I probably would have recommended a rebuttal report (probably)– but I certainly would not wasted time with a Daubert motion here. (If you’re hoping to defeat certification by challenging the notice plan I’ve got news for you– you’re in trouble.)
So it looks like Humana may be in trouble.
The Court looked at Anya’s methodology and found no fault, which is sort of unsurprising because its kind of a straightforward process.
Now court’s have (rightly) rejected Anya’s reports in other cases where she makes a bunch of typos and offers opinions like “I just relied on somebody else to perform a scrub and assume their records were accurate and they did it right.”
Yeah, that’s not going to hold up.
But a process for identifying class members that is essentially just “find cell phone numbers in a file, send subpoenas, wait for results, send emails” is… well, child’s play.
Again, however, that SHOULDN’T be the focus of Humana’s efforts here. But… we’ll just have to wait and see how the bigger battle over certification turns out.
2024 Trends in First Circuit Class Actions
We are pleased to present our final 2024 update to the New England and First Circuit Class Action Tracker, which focuses on class action filings in state and federal courts within the boundaries of the First Circuit in New England.
In 2024, there were 444 total state and federal filings, representing a sustained trend of increased class action filings, and exceeding pre-pandemic levels for the first time. If this trend continues into 2025, historical high points for class action filings in New England may soon become the norm.
Cybersecurity and Data Privacy Litigation Continues to Grow
Federal class action cases in New England reflect a continued onslaught of cybersecurity and data privacy litigation arising from data breaches and the alleged unauthorized disclosure and/or use of consumer information, including TCPA claims.
The most asserted theories underlying data security and privacy class action claims were the exposure of personally identifiable information in a data breach and the receipt of unsolicited telephone calls and text messages.
The vast majority of these cases filed in federal courts have targeted professional services, health care, and retail/manufacturing industries, but there were also a significant number of filings targeting defendants in the technology and biotech/pharma services industries.
These record levels of federal cybersecurity and privacy litigation filings in New England are remarkable, because our totals do not include cases that were transferred and consolidated into the lead case In re: MOVEit Customer Data Security Breach Litigation (1:23-md-03083) pursuant to the transfer order from the Judicial Panel on Multidistrict Litigation dated October 4, 2023 transferring all listed actions to the District of Massachusetts and assigning them to Judge Allison D. Burroughs for consolidated pretrial proceedings.
In 2024 alone, 93 new cases were filed in connection with that multidistrict litigation and are not counted among the 213 federal district court filings in the District of Massachusetts in 2024.
Also notable, but not captured in our 2024 filing totals, is the removal of many previously filed wiretap class actions from Massachusetts state superior court to the District of Massachusetts in late 2024, following the Massachusetts Supreme Judicial Court’s ruling in Vita v. New England Baptist Hospital et al, SJC-13542.
If state court removals and multidistrict litigation filings had been included in our tabulation of cybersecurity and data privacy class actions in 2024, already notable high filing levels would have skyrocketed even more dramatically.
Most Federal Cases Filed in Massachusetts District Courts
The overwhelming majority of federal class action cases in New England filed in 2024—nearly 80%—were filed in the District of Massachusetts, followed by the District of Rhode Island, the District of Maine, and the lowest levels of filings in the District of New Hampshire. This trend is consistent with prior years.
Securities and Antitrust Filings Up Year Over Year
Securities class action filings have increased by 50%, and antitrust class action complaints have nearly doubled over prior years, marking two very active areas of litigation. Securities filings increased most prominently in the District of Massachusetts, while antitrust class action cases rose primarily in the District of Rhode Island.
Industries Targeted are Consistent with Prior Years
As in prior years, the financial/professional services, manufacturing/retail, health care, technology, and pharmaceutical/biotechnology industries continued to be the most frequent targets of class action complaints in the First Circuit throughout 2024.
2025 Likely to Continue as Record Year for Class Action Filings
With 2024 filings at their highest level in years, we expect the class action boom in the First Circuit to continue, along with the trend of class actions against health care and technology industry defendants. As these trends continue, we see the evolution to include the addition of financial, legal, and educational institution defendants. We will continue to monitor these developments as 2025 progresses.
Oregon’s Privacy Law: Six Month Update, With Six Months to End of Cure Period
Oregon’s Attorney General released a new report this month, summarizing the outcomes since Oregon’s “comprehensive” privacy law took effect six months ago. A six-month report isn’t new: Connecticut released a six month report in February of last year to assess how consumers and businesses were responding to its privacy law.
The report summarizes business obligations under the law, and highlights differences between the Oregon law and other, similar state laws. It also summarizes the education and outreach efforts conducted by the state’s Department of Justice. This includes a “living document” set of FAQs answering questions about the law. The report also summarizes the 110 consumer complaints received to-date, and enforcement the Privacy Unit has taken since the law went into effect. On the enforcement side, Oregon reports that it has initiated and closed 21 privacy enforcement matters, with companies taking prompt steps to cure the issues raised.
As a reminder, these actions are being brought during the law’s “cure” period, which gives companies a 30-day period to fix violations after receiving the Privacy Unit’s notice. The Oregon cure provision sunsets on January 1, 2026. Other states with a cure period are Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Tennessee, Texas, Utah, Virginia. (Of these, Minnesota, New Hampshire, New Jersey, Oregon, Delaware, Maryland, and Montana will expire, with varying expiration dates between December 31, 2025 (Delaware) and April 1, 2027 (Maryland). Those without or where the cure period has expired are California, Colorado, Connecticut, and Rhode Island. For an overview of US state “comprehensive” privacy laws, visit our tracker.
Common business deficiencies identified by Oregon in the enforcement notices included:
Disclosure issues: This included not giving consumers a notice of their rights under the law.Also, of concern, has been insufficiently informing Oregon consumers about their rights under the law, specifically the list of third parties to whom their data has been sold.
Confusing privacy notices: By way of example, Oregon pointed to -as confusing- notices that name some states in the “your state rights” section of the privacy policy, but not specifically name Oregon. This, the report posits, gives consumers the impression that privacy rights are only available to people who live in those named states.
Lacking or burdensome rights mechanisms: In other words, not including a clear and conspicuous link to a webpage enabling consumers to opt out, request their privacy rights, or inappropriately difficult authentication requirements.
Putting it into Practice: This report is a reminder to companies to look at their disclosures around consumer rights. It also sets out the state’s expectations around drafting notices that are “clear” and “accessible” to the “average consumer.” Companies have six months before the cure period in Oregon sunsets.
Extinction of the National Institute for Transparency, Access to Information, and Personal Data Protection
As we previously reported in an earlier newsletter, in accordance with the recent constitutional reform dated November 28, 2024, the extinction of seven autonomous agencies was decreed, including the National Institute for Transparency, Access to Information, and Personal Data Protection (INAI).
On Thursday, February 20, 2025, a Decree was published in the Official Gazette, enacting a new Federal Law on the Protection of Personal Data Held by Private Parties, as well as a new General Law on the Protection of Personal Data Held by Obligated Subjects.
These two new laws came into force on March 21, 2025, formalizing the extinction of INAI.
After reviewing these laws, it appears that the personal data protection framework—both for data held by private entities and by public entities of the Mexican Government—remains unchanged. There are no modifications to the rights of data subjects or to the obligations of those who process personal data.
Likewise, no changes have been observed in the legal framework for transparency and access to information.
The main change associated with these new laws is that all functions and powers previously held by INAI have now been transferred to the newly created Ministry of Anti-Corruption and Good Governance.
Another notable change is that the resolutions issued by this new Ministry may now be challenged through an amparo lawsuit before specialized courts in the field. Previously, INAI’s resolutions were challenged before the Federal Court of Administrative Justice.
As we previously warned, the elimination of autonomous agencies that oversee the actions of various federal government entities does not appear positive in a democratic state. Additionally, the concentration of INAI’s former powers—along with oversight and auditing functions—within a single Ministry does not seem advisable and could impact the continuity and effectiveness of the National Transparency Platform, as well as the protection of personal data, among other issues.
It is important to note that all pending matters that were unresolved by INAI will now be handled by the Secretariat of Anti-Corruption and Good Governance. This will likely result in delays in resolution times and may lead to discrepancies in the criteria applied to resolve cases.
Plaintiffs Try Another Bite at the Apple… and Google Too!
In a recent post about legal issues with the social casino sweepstakes model, we indicated that a recent RICO lawsuit against a social casino sweepstakes model, which also named Apple and Google, was dismissed voluntarily by the plaintiff. Plaintiffs are already taking another bite at the Apple.
A new lawsuit was filed against Apple and Google by lead Plaintiff Bargo and two co-plaintiffs. The new complaint alleges that the lawsuit is about “patently illegal gambling software being distributed to the cell phones, desktop computers and other personal electronic devices of individuals throughout New Jersey, New York and beyond, by an unlawful enterprise that includes two of the most successful companies in the world.” This complaint does not name any of the social casino games operators.
Rather, it alleges that the named defendants “willingly assist, promote and profit from” allegedly illegal gambling by: (1) offering users access to the apps through their app stores; (2) taking a substantial percentage of consumer purchases of Game Coins, Sweeps Coins and other transactions within the apps; (3) processing allegedly illicit transactions between consumers and the Sweepstakes Casinos using their proprietary payment systems; and (4) by using targeted advertising to allegedly “shepherd the most vulnerable customers to the Sweepstakes Casinos’ websites and apps” facilitating an allegedly unlawful gambling enterprise.
The legal claims are made under the NJ gambling loss recovery statute, the New Jersey Consumer Fraud Act, Unjust Enrichment, New York’s gaming loss recovery statute, NY consumer protection laws, and the RICO laws.
MASSIVE NEW RISK FOR MARKETERS: Dobronski Nukes SelectQuote and the Whole TCPAWorld Has to Deal With the Fallout
So there’s this guy named Mark Dobronski.
Frequent commenter on TCPAWorld.
Aggressive repeat litigator who is not, at all, afraid to go it alone in TCPA cases and bring suits on his own behalf. He also raises novel and interesting issues.
Here’s one.
47 CFR 64.1601 provides that anyone engaging in telemarketing must transmit either a CPN or ANI, and the name of the telemarketer.
Dobronski alleged SelectQuote didn’t comply with this rule. So he sued.
But SelectQuote moved for summary judgment and won originally with the court determining the CFR provision was promulgated under section 227(e)–the Truth in Caller ID Act–that does not afford a private right of action.
Great, fine. Except one little problem– 64.1601 was promulgated before 227(e) was added to the TCPA.
Oops.
So this creates a mystery: Which section of the TCPA was the CFR section promulgated under?
SelectQuote’s attorneys argued it was pursuant to Section 227(d)–which proscribes technical requirements for prerecorded calls– but Dobronski countered the provisions of 64.1601 apply to all marketing calls, not just prerecorded calls.
As a result the Court defaulted to 227(c) as the statutory section that gave the FCC authority to promulgate the rule. This is so although the court conceded section 227(c) was not a perfect fit either.
So Dobronski just got a court to hold that the provisions of 64.1601 ARE enforceable pursuant to a private right of action.
Eesh.
That means telemarketers–looking at you lead generators–need to make sure either:
The name of the telemarketer is displayed on your caller ID; or
The name of the seller on behalf of which the telemarketing call is placed and the seller’s customer service telephone number.
Hope ya’ll are following along. Because this is a HUGE deal.
Btw– the CORRECT answer here is that the FCC EXCEEDED ITS AUTHORITY in creating 64.1601 as Congress had not yet given it the ability to regulate caller ID until 227(e) was passed. Ta da.
But SelectQuote’s lawyers (apparently) did not raise that argument. So here we are.
And, what a surprise– the lawyers who just got beat by a guy WITHOUT AN ATTORNEY are from, you guessed it!, #BIGLAW!!!
Hire big law. Expect big losses folks.
Luckily you can get out of the biglaw trap for less money but only for another 6 days!
Chat soon.
Case is: Dobronski v. SelectQuote 2025 WL 900439 (E.D. Mich March 25, 2025)