Consumer Protection – Page 7

Illinois Amends ‘One Day Rest In Seven Act’ to Prohibit Employer Retaliation

Takeaways

The state’s “One Day Rest In Seven Act” now includes anti-retaliation provisions and an enforcement mechanism.
Employers should review their policies and practices and ensure they are compliant with the new law.

TRAPPED: Appellate Court Holds Realtor.Com Cannot Compel Arbitration in TCPA Class Action On Lead Gen Form Sold to Subsidiary

Really important case for everyone in leadgen to pay attention to.
The lead generation industry continues to create TCPA risk for lead buyers– and even seemingly valid leads can cause a bunch of trouble if lead buyers don’t handle data correctly.
The case against Realtor.com involving leads sold by a website operator to Opcity, Inc.–a subsidiary of Move.com who operates as Realtor–is a great example.
In Faucett v. Move,Inc. 2025 WL 1112935 (9th Cir. 2025) the Court of Appeals upheld a district court’s ruling refusing to enforce an arbitration provision in favor of Move.com.
The underlying facts are pretty straightforward.
Guy allegedly visited HudHomesUSA.org and filled out a consent form and accepted an arbitration agreement.
The consent form included Opcity and the website operator sold the lead to Opcity (not clear if it was sold directly or through aggregators.) However the arbitration agreement operated only in favor of the website operator and its “affiliates.”
Opcity somehow allegedly transferred the lead to Move.com who allegedly made outbound calls to Plaintiff in reliance on the lead.
Plaintiff sued Move.com who tried to enforce the arbitration agreement arguing it was an “affiliate” of the website operator. The lower court and appellate courts both disagreed.
The courts determined Opcity was likely not an affiliate of the website operator because the terms implied a corporate relationship in this context and none existed. But even if one did exist via contract between Opcity and the website operator, Move.com had no such relationship and it was a separate entity from Opcity.
Further although Opcity was on the lead form that was not sufficient to expand the reach of the arbitration agreement to it, and even if OpCity could be viewed as a third-party beneficiary of the consent form–unclear–Move.com certainly could not be because it was not on the consent form.
So the take away here is that arbitration clauses in leadgen forms likely DO NOT extend to all marketing partners on a hyperlink and DEFINITELY DO NOT extend to entities related to those marketing partners.
To avoid results like these lead buyers should REQUIRE lead sellers to NAME THEM not just on marketing partners pages but also on arbitration provisions. Stated alternatively, the arbitration and consent provisions on lead generation websites should be co-extensive. So the parties bound by arbitration provisions on lead generation websites should include all marketing partners on the list!

TCPA REVOCATION LESSON: Cenlar’s $714,000.00 TCPA Revocation Settlement Arrives Just In Time to Crystalize Risk

So last Friday the FCC’s new TCPA revocation order went into effect.
While the nastiest parts of the ruling were stayed for one year thanks in large part to the major banks–thanks ABA/MBA and the rest of you!–a good portion of the rule did go into effect.
For those who are not on their revocation game and properly tracking requests the final approval order in a new TCPA class settlement arrives just in time to help you change your ways!
In Kamrava v. Cenlar 2025 WL 1116851 (C.D. Cal April 14, 2025) the court granted final approval to Cenlar’s settlement of a TCPA class involving servicing calls made after revocation of consent.
In many ways this was a throw back case as revocation classes have fallen by the wayside in recent years– leading to less focus on getting it right in some circles. Indeed, the case was filed way back in 2020 and is something of an oddity in today’s TCPAWorld landscape. However, the FCC’s new ruling supercharges risk here, which is why the settlement is so important.
The classes in Kamrava are as follows:
All persons within the United States who received an automated call to their cellular telephone, after revocation of consent, within the TCPA Class Period from defendant or a loan servicer on whose behalf Defendant was sub-servicing, its employees or its agents (the “TCPA Settlement Class”).and
All persons with addresses within the State of California who requested in writing that Defendant or the loan servicer on whose behalf Defendant was sub-servicing to stop contacting them and thereafter (i) received a letter asking them to sign and return a form confirming their cease-and-desist request or (ii) received at least one subsequent telephone call within the RFDCPA Sub-Class Period (the “RFDCPA Settlement Sub-Class”).
I was not involved in the case but I would guess what happened here is Cenlar was only temporarily stopping calls in response to an oral revocation request and then sending out a written letter which, if not returned within a certain timeframe, would result in calls beginning anew.
Thee claims arise between tension between TCPA and FDCPA/RFDCPA revocation rules. Under the debt collection statutes only written requests to stop calls must be honored. But under the TCPA any reasonable means of conveying a revocation is effective– so calls using regulated technology must stop immediately, even if manually launched calls may continue.
Its all part of a thicket of arcane TCPA requirements that can twist an ankle or skin a knee. And in this case Cenlar got snagged for nearly three quarters of a million dollars.

Video Privacy Protection Act: What’s Next After Sixth Circuit Creates Split

The Video Privacy Protection Act (VPPA) is a federal law aimed at prohibiting the unauthorized disclosure of a person’s video viewing history. While the VPPA was originally enacted to prevent disclosure of information regarding an individual’s video rental history from businesses like Blockbuster in 1988, the explosion of the internet in the decades since has greatly expanded its potential reach, giving rise to countless lawsuits targeting businesses’ websites. One such case, involving the alleged disclosure of the plaintiff’s video viewing history through use of Meta’s data-tracking Pixel, was recently decided by the United States Court of Appeals for the Sixth Circuit, in a decision that serves to narrow the reach of the VPPA.
In a published opinion, the Sixth Circuit addressed the issue of who can be considered a “consumer” – and thus able to bring a claim – under the VPPA. The VPPA defines the term “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Citing longstanding canons of statutory construction, the Sixth Circuit reasoned that, when read in context of its surrounding text, the phrase “goods and services” is limited to audiovisual goods and services. The plaintiff, a subscriber to 247Sports.com’s newsletter which contained links to videos that were accessible to anyone on the website, failed to allege that the newsletter itself was audiovisual material, and thus was not protected under the VPPA.
Notably, the Sixth Circuit’s decision was contrary to the conclusions previously reached by other Federal Courts of Appeals, specifically the Second and Seventh Circuits. Those courts had endorsed a broader interpretation of the term, considering a subscriber of any of the provider’s goods or services to be a “consumer” under the VPPA, regardless of whether the subscription was specifically for audiovisual materials. By defying this trend, the Sixth Circuit creates a circuit split that may be resolved by the Supreme Court of the United States. The defendant in the Second Circuit case on this issue has petitioned the Supreme Court to review the decision. Now, with a circuit split apparent, the Supreme Court may be more likely to intervene.
Against this uncertain backdrop, and with the wave of Meta Pixel and similar lawsuits continuing, businesses will need to carefully evaluate the operation of their websites and whether they may be subjected to a VPPA claim. The review should also include an analysis of the effectiveness of any consent provisions that the business may be relying on to avoid liability. Businesses should be aware of the risks presented by the entities they acquire or merge with whose data sharing practices may implicate the VPPA. To mitigate the risk of liability, due diligence in any such transaction should include a thorough review of the target company’s data practices, compliance with privacy regulations, and any ongoing or potential lawsuits tied to the use of tracking technology.

Caffeine Warning Bill Introduced in House of Representatives

A new bill introduced in the U.S. House of Representatives would require a “high caffeine” warning on beverages that contain more than 150 milligrams of caffeine, as well as require manufacturers to declare the amount of caffeine in their products.
Representative Robert Menendez introduced H.R.2511, the Sarah Katz Caffeine Safety Act, stating that “the bill is about transparency and safety,” aimed at preventing tragedies such as the death of Sarah Katz, a college student who died after drinking a highly caffeinated beverage. As we previously blogged, Katz’s parents filed a lawsuit alleging that Panera Bread Company’s “Charged Lemonade” caused their daughter’s death and that the beverage contained anywhere from 260-390 mg of caffeine, depending on the size of the beverage.
The bill would require menu items in chain restaurants containing at least 150 mg of caffeine to bear a statement such as “high caffeine” on the menu. In addition, the bill amends Section 403 of the Food, Drug, and Cosmetic Act to consider foods and dietary supplements containing more than 10 mg of caffeine as misbranded unless the label includes the amount of caffeine in the product, a statement of whether the caffeine is naturally occurring or an additive, and an advisory statement regarding FDA’s daily recommended limit of caffeine for healthy adults.
The bill also directs FDA to define “added caffeine” and review the status of caffeine and other stimulants as generally recognized as safe (GRAS). Specifically, FDA would be directed to consider:

Whether caffeine should be considered GRAS;
The safety of caffeine or other stimulants, either alone or in a blend;
The safety of guarana, taurine, and similar substances in food and dietary supplements with added caffeine;
Thresholds for the amount of caffeine or blends of caffeine and other stimulants; and
Whether any regulations relating to caffeine in food and dietary supplements should be issued or updated.

Finally, the National Institutes of Health would be required to conduct or support a review of the effect of caffeine consumption in vulnerable populations, and FDA and CDC would be required to conduct a public education campaign on caffeine safety.
FDA’s webpage on caffeine indicates that 400 mg a day is “not generally associated with dangerous, negative effects,” but that the level of sensitivity can vary widely.
Keller and Heckman will continue to monitor this bill and other developments regarding caffeinated beverages.

SPECIFIC VS. GENERAL PERMISSION: Jibreal Hindi Defens His Onslaught of TCPA Class Actions Before the FCC and His Argument is Kind of Interesting

So REACH recently submitted a hard-hitting comment in support of an effort to shut down frivolous lawsuits arising from out-of-time-limitation SMS messages.
These messages generally arise when a consumer travels from one location to another and the caller is not aware of the changed location and sends messages based upon area codes that end up being inaccurate because, you know, people move around.
R.E.A.C.H.’s comment is laser focused on the language of the CFR that limits claims related to out-of-time messages to “solicitations” and the definition of “solicitations” looks only at messages sent without prior express invitation or permission. It follows that a message sent with invitation or permission may be sent outside of the TCPA’s timing limitations.
Simple.
But not so fast.
Hindi– the guy behind hundreds of recent TCPA class actions against small businesses and who also just bragged about buying a 15 seat private jet on social media–counters that the CFR is unclear whether the permission was to be general or specific in nature.
In his view of the world a consumer that gives permission to receive text messages from a business impliedly gives only limited consent; i.e. consent to receive texts WITHIN the timing limitations of the TCPA. While a consumer may ask for texts outside of the timing window such consent must be SPECIFIC as to the timing component.
Here is how he frames the issue:
The undersigned does recognize that text messages sent with “prior express invitation or permission” are not “telephone solicitations” under the TCPA and, thus, do not fall within the ambit of the Quiet Hours Provision. See 47 U.S.C. § 227(a)(4); see also 47 C.F.R. § 64.1200(c)(1). However, it bears repeating that the instant issue lies not in general invitation or permission, but rather the scope of such invitation or permission. Senders of text messages—who are in the best position to clarify the scope of invitation or permission—often leave the detail of message timing unaddressed and ambiguous by and through their own opt-in language. Indeed, in the undersigned’s experience, almost no sender of text message solicitations cares to obtain a consumer’s prior express invitation or permission to send texts “before 8 a.m. or after 9 p.m.” or at “any time.” This is a major issue for consumers, who reasonably believe they consent to messages at objectively normal hours but are instead bombarded with texts during objectively invasive hours.
Almost all consumers complain about quiet hours messages, even when they have given general express invitation or permission to receive texts. These consumers, including those without a legal background of any kind, often point out that they did not specifically consent to receiving messages “before 8 a.m. or after 9 p.m.” or “any time.” The average person is confused or, in some cases, outright enraged when they merely provide a company with their residential phone number and start receiving text messages in the middle of the night. Even Petitioners acknowledge this reality, noting that after-hours text messages can cause nuisance or annoyance for consumers.
Interesting, no?
Importantly general vs. specific consent may have BIG consequences in other TCPA arenas as well. For instance if the courts or “delete delete delete” proceedings dismantle express consent rules in the CFR we will be back to determining what “clearly and unmistakably stated” consent means for all purposes– and that might mean consumers must specifically request to hear from a caller “using an autodialer” or “using prerecorded calls” or “using AI.”
While that is not much of a shift from today’s practice for telemarketers it is a MASSIVE shift for informational calling where such specific consent is not required. So there may be bigger issues afoot here.
Regardless I thought the response here was interesting enough to merit a quick blog.
Full response here: Jibrael Hindi

DOJ Announces 90-Day Grace Period for Companies to Comply with New Data Security Rules on Foreign Adversary Access to U.S. Sensitive Data

The U.S. Department of Justice (DOJ)’s new data security rule went into effect April 8, 2025. The rule creates what are effectively export controls and requires companies to take measures to prevent U.S. sensitive personal and government-related data from falling into the hands of foreign adversaries. The rule targets transactions (including data brokerage, vendor agreements, employment agreements, and investment agreements) involving access to bulk sensitive personal data or government-related data when those transactions involve identified covered persons or countries of concern (China, Russia, Iran, North Korea, Cuba, and Venezuela).
On April 11, 2025, the DOJ’s National Security Division (NSD) issued a Compliance Guide, a Frequently Asked Questions (FAQs) document, and its Implementation and Enforcement Policy, offering critical clarity on how it will assess compliance and approach enforcement of the rule. One of the most significant elements of the policy is the DOJ’s announcement of a 90-day grace period (between April 8, 2025 and July 8, 2025) for companies making good faith efforts to comply (willful violations may still be pursued).This grace period is intended to encourage early cooperation and foster a compliance-first mindset across industries.
Companies should take action now, if they have not done so already, to engage in compliance efforts (many of which are identified by DOJ as evidence of “good faith”) such as:

Assessing datasets and datatypes that might be covered by the rule
Reviewing data flows and data transactions, particularly those that might constitute data brokerage as defined in the rule
Analyzing vendor agreements to determine the need for new contractual terms; renegotiation of agreements; and potential transfer of products and services to new vendors
Instituting vendor due diligence practices aligned with the rule
Evaluating employee access and potentially modifying roles, responsibilities, or work locations
Assessing investments and investment agreements relating to countries of concern or covered persons
Revising or creating internal policies and procedures
Implementing security controls as set forth in the requirements established by the Cybersecurity and Infrastructure Agency (CISA)

The DOJ guidance confirms the effective dates in the rule and expectation for full compliance with initial requirements after the 90-day grace period. While the core rule took effect April 8, 2025, additional compliance obligations (e.g., audits, reporting, due diligence) must be in place by October 6, 2025.
Organizations that collect, store, or transmit sensitive personal data—especially with cross-border implications—should begin engaging in the activities listed above. The rule is effectively a form of national security data control and applies to a broad array of actors, from data brokers and cloud infrastructure providers to businesses with international partnerships or data transfers.

TO ADVERTISE OR NOT TO ADVERTISE: Court Holds Fax to Pharmacy May Cross the Line

A new TCPA suit highlights the tension over what constitutes an “advertisement” under the statute. In Mills Cashaway Pharmacy, Inc. v. Change Healthcare Inc. (M.D. Ten., Apr. 10, 2025) the plaintiff pharmacy alleged that it received an unsolicited fax from defendant Change Healthcare promoting the prescription drug Xarelto. Change Healthcare moved to dismiss, arguing the fax was purely informational. The court, however, found the complaint plausibly alleged that the fax constitutes an unsolicited advertisement under the TCPA, and allowed the case to proceed.
Mills Cashaway Pharmacy, Inc. (“Mills”), a pharmacy based in Parks, Louisiana, filed suit on August 9, 2024, asserting a single claim for violation of the TCPA. The complaint alleges that, in September 2020, Mills received an unsolicited fax on its dedicated fax line. The fax, purportedly sent by Change Healthcare, contained the name and prescription number of one of Mills’ patients and directed the reader to “visit Xarelto.com” for more information about the drug, including safety and side effect details.
Mills alleges that the fax was designed to promote a 90-day supply of Xarelto over a 30-day supply or a different drug altogether, encouraging recipients like the pharmacy to influence patient behavior and drive demand for the product. According to the complaint, the fax falsely stated that the patient’s insurance plan would cover the 90-day supply. Mills asserts there was no preexisting business relationship between the parties and notes that the fax lacked the statutorily required opt-out notice.
The TCPA prohibits sending a fax that is an “unsolicited advertisement” unless, among other requirements, the fax has a satisfactory opt-out notice. There is a private right of action for recipients of unsolicited advertisements with statutory damages of $500 per violation. Here, the parties did not dispute that the fax Change Healthcare sent to Mills was unsolicited and lacked an opt-out provision. The sole issue at dispute was whether the fax qualified as an advertisement within the meaning of the TCPA. Change Healthcare argued it did not, asserting that it merely provided information to a patient already prescribed Xarelto
The Mills court observed that under the TCPA, an “unsolicited advertisement” is defined as any material that promotes the commercial availability or quality of goods or services, sent without the recipient’s prior consent. The Court discussed several cases interpreting the TCPA’s definition of “advertisement”:

S.A.S.B. Corp. v. Johnson & Johnson Health Care Sys. Inc. (D.N.J. 2024): The court ruled that a fax about Xarelto was not an ad, as it targeted patients already prescribed the drug and didn’t contain pricing or overt promotional content. The “overall thrust” of the message was deemed informational.
Michigan Urgent Care & Primary Care Physicians, P.C. v. Medical Security Card Co. (E.D. Mich. 2020): In contrast, the court found a fax promoting a “free” prescription savings card to be an advertisement. Even though the program was free, the court determined that the fax supported the defendant’s business model, which depended on broad usage of the card, potentially impacting defendant’s profits.
Matthew N. Fulton, D.D.S., P.C. v. Enclarity, Inc. (6th Cir. 2020): A fax requesting updated contact information was ruled to be an advertisement because it was a pretext for future marketing efforts. The Sixth Circuit emphasized that courts must look beyond the face of the fax to its intent and commercial purpose.

In light of the above precedent, the Mills Court rejected Change Healthcare’s argument that the fax contained purely informational messaging. First, the Court noted that although the fax appeared to reference a specific patient, it was sent to the pharmacy—not the patient. Second, the message encouraged a switch to a 90-day supply, which the court found could reasonably be construed as promoting the commercial availability of Xarelto.
The court emphasized that determining whether a fax is an advertisement is not always obvious from its face. Citing Enclarity and Michigan Urgent Care, it reiterated that a defendant’s intent and the broader context may render an ostensibly informational fax commercial in nature. The complaint plausibly alleged that the fax was designed to increase sales of Xarelto by encouraging pharmacies to influence patient prescriptions—conduct that could be motivated by profits.
While the Change Healthcare argued the purpose was merely to notify patients of coverage and convenience, the court found that the plaintiff’s allegations and the content of the fax were sufficient, at this stage, to proceed under the TCPA’s definition of an advertisement.
The court’s ruling underscores a key principle in TCPA litigation: the determination of whether a fax is an “advertisement” often hinges not only on explicit language but also on the context, purpose, and business model underlying the message. Even materials presented as purely informational can support a TCPA claim if they plausibly serve a commercial aim.

Digital Policy: Highlights of the German Coalition Agreement 2025

The newly published German Coalition Agreement 2025 (CA 2025), German language version available here, outlines a digital agenda of the new German government, aimed at strengthening Germany’s position as a leader in digital innovation, data protection, and technological sovereignty. This GT Alert provides an overview of key digital policy areas that the CA 2025 addresses, highlighting the new government’s priorities and potential implications for businesses operating in Germany.
1. Data Protection
The coalition emphasizes the importance of harmonizing and simplifying data protection standards while promoting innovation and economic growth. Key measures include:

Simplification for SMEs and Non-Commercial Activities: The new government plans to leverage the GDPR’s flexibility to simplify compliance for small and medium-sized enterprises (SMEs). On an EU level, the coalition wants to exclude SMEs, non-commercial organizations, and “low risk activities” from the GDPR’s scope (lines 2103 et seqq.).
Centralized Oversight: The Federal Data Protection Commissioner would be empowered (and renamed) to oversee data protection, data usage, and information freedom, consolidating responsibilities for greater efficiency (lines 2248 et seqq.).
Opt-out Instead of Consent: Burdensome consent requirements would be replaced by opt-out solutions “in accordance” with EU laws (lines 2096 et seqq.).

2. Data Sharing
The CA 2025 promotes a culture of data sharing to foster innovation while safeguarding individual rights. Highlights include:

Public Money, Public Data: Commitment to making data from publicly funded institutions openly accessible, with robust data trustee mechanisms to foster trust and quality (lines 2243 et seqq.).
Comprehensive Data Framework: Aim to develop modern regulations on data access and data economy for promoting data ecosystems in a comprehensive framework (lines 2238 et seqq.).

3. Online Platforms and Social Networks
The coalition underscores the need for fair competition and user protection, particularly from disinformation, in the digital space.

Platform Regulation: General commitment to supporting the EU’s Digital Services Act and Digital Markets Act to ensure platforms address systemic risks like disinformation and remove illegal content (line 2285).
Transparency and Accountability: Online platforms would be required to comply with existing obligations on transparency and content moderation. Even stricter liability for user content is being considered (lines 3926 et seqq.).
Possible Bot Identification Measures: The introduction of mandatory bot identification provisions for digital players is “being considered” (lines 2290 et seqq.).

4. Digital Infrastructure
The coalition prioritizes expanding Germany’s digital infrastructure to support economic growth and digital transformation.

Data Center Hub: The coalition aims to make Germany Europe’s leading data center hub, with a focus on energy-efficient operations and integration into district heating systems (lines 2192 et seqq.).
Nationwide Fiber Optic Rollout: The new government commits to accelerating the deployment of fiber-optic networks and ensuring high-speed internet access for all households (lines 2201 et seqq.).
Mobile Coverage and Satellite Technology: Efforts would be made to enhance mobile network coverage and explore satellite technology for underserved areas (lines 2201 et seqq., 2279 et seqq.).

5. Public Sector Digitalization
The coalition envisions a user-centric, fully digital public administration.

Restructuring Government Bureaucracy: The new government promises to reduce administrative staff in general and, in particular, wants to reduce the total number of federal authorities (lines 1811 et seqq.). At the same time, a new federal ministry for digitization and state modernization would be created (line 4564), which underscores the coalition’s focus on digitization topics.
Simplifying Administrative Processes: The new government intends to eliminate unnecessary formalities to simplify administrative processes for businesses (lines 339 et seqq., 1798 et seqq., 2171 et seqq.). Particularly, with the adoption of a new general clause, the written form requirement is to be abolished “wherever possible” (lines 2177 et seqq.). Administrative processes would be streamlined and automated, with a focus on eliminating the need for physical paperwork (lines 2155 et seqq.).
“One Stop Shop” for Administrative Services: The coalition aims to enable straightforward digital administrative services via a central platform (one-stop shop). A centralized platform would enable German citizens to access government services digitally, with mandatory digital identities for all citizens (lines 1802 et seqq.).
“Once Only” Approach for Citizens: Intergovernmental data sharing commitments would ensure that citizens have to provide their data only once to the government (lines 2080 et seqq.).
Public Procurement: Consolidated procurement platforms would standardize public procurement (especially of IT services) and help reduce dependence on “monopolistic” suppliers (lines 2075 et seqq.).

6. Digital Sovereignty
The coalition aims to reduce Germany’s dependencies on non-European technologies and to strengthen its digital autonomy.

Open Source and Open Standards: The new government aims to promote open-source solutions and define open interfaces to enhance interoperability and security, without providing many details (lines 2139 et seqq., 2172 et seqq.).
Strategic Investments: Funding would be directed towards key technologies such as cloud computing, artificial intelligence (AI), and cybersecurity (lines 108 et seqq.).

7. Artificial Intelligence (AI)
AI is positioned as a cornerstone of Germany’s digital strategy.

Investments in AI and Cloud Technology: The coalition promised “massive” investments in AI and cloud technologies, without going into further detail (line 108).
“AI Gigafactory” in Germany: The coalition aims to establish at least one European “AI gigafactory” in Germany (lines 2193 et seqq., 2509 et seqq.).
Regulatory Framework: The new government wants the EU AI Act implemented in a way that fosters innovation while addressing ethical and safety concerns (lines 2256 et seqq.). Particularly, burdens on the economy resulting from the technical and legal specifications of the AI Act would be removed (lines 2268 et seqq.).
Copyright Balance: The coalition plans to ensure fair remuneration for creators in generative AI development, mandate fair revenue sharing on streaming platforms, and enhance transparency in content usage (lines 2824 et seqq.).

Conclusion
The German CA 2025 sets a vision for digital transformation, emphasizing the streamlining of regulatory and administrative hurdles, infrastructure development, and technological sovereignty. While many details remain unclear, businesses should prepare for regulatory changes and explore opportunities arising from the new government’s focus on innovation and digitization. As these policies take shape, staying informed and proactive will be key to navigating the evolving digital landscape in Germany.

California AG Appeals Decision Blocking Enforcement of Age-Appropriate Design Code Act

On April 11, 2025, California Attorney General Rob Bonta appealed the U.S. District Court for the Northern District of California’s decision blocking enforcement of California’s Age-Appropriate Design Code Act (“AADC”). As we previously reported, on March 13, 2025, the Court granted a second motion for preliminary injunction in favor of the technology trade group NetChoice, enjoining the California AG from enforcing the AADC.
In announcing the appeal, AG Bonta said: “We are deeply concerned about further delay in implementing protections for children online. That is why, today, my office has appealed the Northern District of California’s decision blocking enforcement of the Age-Appropriate Design Code.”

Navigating the New DOJ Data Security Program Compliance

On January 8, 2025, the U.S. Department of Justice (“DOJ”) issued its final rule to implement Executive Order 14117 aimed at preventing access to Americans’ bulk sensitive personal data and government-related data by countries of concern, including China, Cuba, Iran, North Korea, Russia, and Venezuela (the “Data Security Program” or “DSP”). The DSP sets forth prohibitions and restrictions on certain data transactions that pose national security risks. The regulations took effect on April 8, 2025, with additional compliance requirements for U.S. persons taking effect by October 6, 2025.
On April 11, 2025, the DOJ issued a compliance guide, along with a list of Frequently Asked Questions (FAQs) to assist entities with understanding and implementing the DSP. The DOJ also announced a 90-day limited enforcement period from April 8 to July 8, 2025, focusing on facilitating compliance rather than enforcement, provided that entities are making good faith efforts as outlined in the 90-day policy.
By July 8, 2025, entities must be fully compliant with the DSP, as the DOJ will begin enforcing the provisions more rigorously. By October 6, 2025, compliance with all aspects of the DSP, including due diligence, audit requirements, and specific reporting obligations, will be mandatory.
SCOPE OF THE DSP
The DSP applies to U.S. persons and entities engaging in transactions that provide access to Covered Data to Countries of Concern or Covered Persons.
Countries of Concern: The DSP has initially listed China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia and Venezuela as countries of concern. The Attorney General, along with the Secretary of State and the Secretary of Commerce, may amend such countries based on guidelines in the DSP.
Covered Persons: The DSP defines Covered Persons as entities or individuals associated with a Country of Concern, including those who are substantially owned, organized, or primarily operating within these countries, as follows:

An entity that is 50% or more owned by a Country of Concern
An entity that is organized or chartered under the laws of a Country of Concern
An entity that has its primary place of business in a Country of Concern
An entity that is 50% or more owned by a Covered Person
A foreign person, as an individual, who is an employee or contractor of a Country of Concern
A foreign person, as an individual, who is primarily a resident in the territorial jurisdiction of a country of concern
Any entity or individual that the Attorney General designates as a Covered Person subject to broad discretion set forth in the DSP

Covered Data: The DSP regulates transactions involving two primary categories of data: U.S. sensitive personal data and U.S. government-related data.
U.S. Sensitive Personal Data – applies to data that meets the “bulk” thresholds, including:

Human ‘omic Data: This includes human genomic, epigenomic, proteomic, and transcriptomic data.
Biometric Identifiers: These are measurable physical characteristics or behaviors used to recognize or verify an individual’s identity, such as facial images, voice prints, retina scans, and fingerprints.
Precise Geolocation Data: This identifies the physical location of an individual or device to within 1,000 meters.
Personal Health Data: This includes data that indicates, reveals, or describes an individual’s physical or mental health condition, healthcare provision, or payment for healthcare.
Personal Financial Data: This includes data about an individual’s financial accounts, transactions, and credit history.
Covered Personal Identifiers: These are combinations of listed identifiers, such as government ID numbers, financial account numbers, device identifiers, demographic or contact data, advertising identifiers, account authentication data, network-based identifiers, and call-detail data.

Bulk Thresholds – The “bulk” threshold is calculated from a collection or set of U.S. Sensitive Personal Data, in any format, regardless of whether the data is anonymized, pseudonymized, de-identified, or encrypted, over a 12-month period, whether it is one data transfer or over multiple transfers.

100+ U.S. persons
1,000+ U.S. persons
10,000+ U.S. persons
100,000+ U.S. persons

Human genomic data
– Biometric Identifiers – Human ‘omic data (other than human genomic data) – Precise geolocation data (1,000 US devices)
– Personal health data – Personal financial data
Covered personal identifiers

U.S. Government-Related Data – The DSP applies to the following categories of government related data:

Precise Geolocation Data: For locations designated by the Attorney General as posing a heightened risk of exploitation by a country of concern.
Sensitive Personal Data Linked to Government Employees: Data marketed as linked or linkable to current or former U.S. government employees or officials, including military and intelligence personnel.

COVERED TRANSACTIONS
Transactions are categorized as Prohibited, Restricted, or Exempt and receive varying degrees of restrictions.
Prohibited Transactions: Fully banned transactions include:

Data Brokerage: The sale, licensing, or similar commercial transactions involving the transfer of data from a provider to a recipient who did not collect or process the data directly is prohibited.
Human ‘Omic Data: Transactions involving access to bulk human ‘omic data (genomic, epigenomic, proteomic, and transcriptomic data) or human biospecimens from which such data could be derived are prohibited.

Restricted Transactions: Subject to the exemptions below, these transactions are types of agreements, which are allowed under the DSP subject to stringent security and compliance requirements:

Vendor Agreements: Agreements where a person provides goods or services to another person, including cloud-computing services, in exchange for payment or other consideration. These transactions must comply with security requirements to prevent unauthorized access to covered data.
Employment Agreements: Agreements where an individual performs work directly for a person in exchange for payment or other consideration. This includes board service and executive-level arrangements.
Investment Agreements: Agreements where a person gains direct or indirect ownership of a U.S. legal entity or real estate. Passive investments, such as publicly traded securities, are excluded. These transactions must adhere to security measures and due diligence requirements.

Exempt Transactions: categories exempt from regulation under the DSP include:

Personal communications
Information or informational materials
Travel
Official business of the U.S. Government
Financial services
Corporate group transactions
Transactions required or authorized by U.S. federal law or international agreements, or necessary for compliance with federal law
Investment agreements subject to CFIUS action
Telecommunications services
Drug, biological product and medical authorizations
Other clinical investigations and post-marketing surveillance data

90-DAY LIMITED ENFORCEMENT PERIOD AND “GOOD FAITH EFFORTS” TO COMPLY
During the DOJ’s 90-day limited enforcement period from April 8 to July 8, 2025, the DOJ will focus on facilitating compliance rather than prioritizing enforcement actions, provided entities are making good faith efforts to comply. Good faith efforts include compliance activities described in this first 90-day policy, including:

Conducting internal reviews of sensitive data access.
Reviewing datasets for DSP applicability.
Renegotiating vendor agreements.
Transferring products to new vendors.
Conducting due diligence on new vendors.
Negotiating transfer provisions with foreign counterparts.
Adjusting employee roles or locations.
Evaluating investments from countries of concern.
Renegotiating investment agreements.
Implementing CISA Security Requirements.

LIABILITY
Violations of the DSP can lead to significant civil and/or criminal penalties, including fines up to $377,700 (adjusted for inflation) or twice transaction’s value. Intentional or willful violations can result in fines up to $1,000,000, imprisonment for up to 20 years, or both.
COMPLIANCE TIMELINE

April 8, 2025: DSP regulations take effect.
July 8, 2025: Full compliance with DSP required.
October 6, 2025: Compliance with all DSP aspects, including audits and reporting, as may be required.

ACTIONABLE ITEMS
Companies should complete the following:

Assess Data Holdings: Conduct thorough audits to identify sensitive personal data and government-related data and determine if it meets the DSP’s bulk thresholds (this includes information collected and transferred via online tracking technologies).
Review and Update Contracts: Amend contracts to cease prohibited transactions and ensure compliance with restricted transaction terms. This includes including provisions prohibiting unauthorized data brokerage.
Develop Compliance Programs for Restricted Transactions: Establish a comprehensive data compliance program by October 6, 2025.
Implement Security Measures: Apply organizational, system, and data-level security measures, using technologies like data minimization, encryption, masking, and privacy-enhancing technologies.
Conduct Annual Audits: Perform annual audits to assess DSP compliance, in line with the DSP requirements, and retain them for at least 10 years.
Prepare for Annual Reporting: Ensure records are being generated in anticipation of providing timely submission of annual reports for entities engaged in restricted transactions involving cloud-computing services in which 25% or more of its equity is owned, directly or indirectly, by a country of concern or a covered person,
Monitor Transactions: Regularly monitor data transactions and report any violations to the DOJ within 14 days.
Train Employees: Implement training programs to ensure understanding and compliance with DSP regulations.

CONCLUSION
The DSP signifies a significant effort to protect U.S. sensitive personal and government-related data from foreign threats. Compliance is a legal necessity and a strategic measure to safeguard business operations and reputation. By understanding the DSP’s scope and implementing the steps outlined in this alert, businesses can ensure they are well-prepared to meet compliance requirements.

Best Foot Forward? Rack Room’s Privacy Policy Not Clear Enough For Dismissal

It’s becoming clear that companies that don’t treat their privacy policies as a living document are taking huge risks.
Rack Room Shoes had to learn this the hard way in a recent case out of the Northern District of California. In Smith v. Rack Room Shoes, Inc. (2025 WL 1085169 April 4, 2025), Rack Room lost a motion to dismiss regarding whether or not the Plaintiff gave consent to “the disclosures of their data by continuing to use Rack Room’s website after being notified of Rack Room’s privacy policy…The privacy policies at issue, however, contain ambiguities that prevent a finding of consent as a matter of law.”
Essentially, Rack Room had embedded code of third-party companies onto their website, including both the Meta Pixel and the Attentive Tag. The Meta Pixel would, among other things, record the user’s search queries, items viewed and placed in cart, and hashed values containing the personal information of the user. The Attentive Tag would “send messages that can contain the full URL string visited, the product purchased, and the unencrypted phone number and email that the visitor entered when making a purchase.”
These are normal use cases for these sorts of cookies and generally not a problem. However, Rack Room’s privacy policy explicitly stated that while they use cookies and beacons on their site “none of the information collected through cookies or beacons is personally identifiable.”
Oops.
Additionally, Rack Room argued that their privacy policy allows them to collect voluntarily personally identifiable information and sharing that PII with marketing partners. But, the plaintiffs argued the disclosure of PII was not in isolation, but combined with the browsing and purchase information was violative of the privacy policy. The Court agreed “Plaintiffs plausibly allege…that a reasonable user would not understand Rack Room’s privacy policy to authorize such a disclosure.” Therefore, the Court denied the motion to dismiss all claims based on consent.
The Plaintiffs also made CIPA claims which Rack Room moved to dismiss, but the Court denied those motions as well. Rack Room tried to argue that Meta and Attentive were acting as extensions, but the Court relied on Ambriz v. Google (discussed earlier on CIPAWorld). Because Rack Room knew that the Meta Pixel and the Attentive Tag intercepts personal information, the Court denied the motion to dismiss.
Just multiple misses on behalf of Rack Room in this case, but the main takeaway is companies can get consent to sharing personal information. But, the consent must accurately reflect the practices of the company. General sweeping privacy policy language is no longer effective.
And I get it, people change pixels and tags on their site often. But, that is not going to be an excuse. When companies change pixels and other tracking, there needs to be a process in place to ensure either those pixels/cookies match the privacy policy or the privacy policy needs to be updated.