Consumer Protection – Page 7

States Move Forward with Privacy Protections to Close HIPAA Gaps for Health, Reproductive Health Info

Takeaways

Multiple state laws are strengthening protections for health data, increasingly going beyond HIPAA, healthcare providers and health plans.
Certain categories of health information, such as reproductive health, have greater privacy protections.
Organizations cannot look solely to HIPAA when assessing privacy compliance.

Montana Amends Law to Cover Collection and Use of Neural Data

Montana recently revised its Genetic Information Privacy Act to address neural data. The law went into effect in 2023 and applies to both entities that offer genetic testing services as well as entities that use genetic data.
Under the current law, covered entities must provide notice and also have choice obligations. This includes getting consent about collection, use and sharing of genetic data. Covered entities must include specific content in the consent request. They also need to give separate notice in several circumstances. This includes if they want to share genetic information with non-vendor third parties or use it for marketing purposes. There are also data security obligations under the law, as well as access obligations.
The Montana governor signed SB 163 on May 1 to amend the Genetic Information Privacy Act. As a result, beginning October 1, 2025, there will be several changes to the law. They include:

Neural data will be covered by the law: As revised the law will cover “neurotechnology data.” This is information capable of “recording, interpreting, or altering the response of an individual’s central or peripheral nervous system” to its external environment. (This definition is slightly different than that which California and Colorado added to their comprehensive privacy laws.)
De-identified neural data out of scope: As modified, the law will also except from coverage deidentified neural data that is used for research purposes. To be deidentified, among other things, the information cannot be reasonably linked to the individual, and measures must be taken to ensure that the data cannot be reassociated with an individual.
Exceptions added to right of access: Also as modified, the law will provide for exceptions to the obligation to give individuals access to covered data, including if express consent was obtained from an individual participant in a clinical trial which was obtained following the provisions specified in the law (these include content and font size obligations, among other things).

Putting it Into Practice: This modification to Montana’s Genetic Information Privacy Act reflects regulators’ concerns with uses of neural data, which companies might use when offering wearable technology or engaging in advertising that measures emotional engagement. This modification is a reminder for those who engage in these activities to review their notice process and consider whether consent might be needed under this or similar laws.
Listen to this post

Massachusetts Appeals Court Affirms Treble Damages for Knowing Chapter 93A Violation

In Wicked-Lite Supply, Inc. v. Woodforest Lighting, Inc., the Massachusetts Appeals Court examined whether a seller’s conduct in a commercial lighting transaction violated Chapter 93A, Sections 2 and 11, and if the conduct was knowing or willful enough to warrant multiple damages. The plaintiff, having experienced repeated failures with purchased lights, received only blame-shifting and inadequate remedies from the seller. Despite knowledge of defects, the seller insisted there was no problem and provided knowingly incompatible replacement lights. Discovery revealed the seller was aware of the faulty lights. Despite additional discussions about resolving the matter, the seller did not fix the problem and made the buyer feel like “a hamster on a wheel.” The trial judge found a Chapter 93A violation and awarded treble damages due to the defendant’s willing and knowing misconduct.
Appeals Court Analysis
On appeal, the defendant argued the conduct amounted to a simple breach of contract (which the jury had found), not a Chapter 93A violation, especially since the jury found no breach of the implied warranty of merchantability. Thus, the defendant contended, the jury necessarily rejected the premise that the defendant knowingly sold a product that it knew or should have known was defective. The Appeals Court disagreed, explaining that whether conduct violates Chapter 93A is based on “the totality of the circumstances.” The court reaffirmed that conduct need not attain “the antiheroic proportions of immoral, unethical, oppressive, or unscrupulous conduct, but need only be within any recognized or established common law or statutory concept of unfairness” to violate Chapter 93A. The trial judge had found the Chapter 93A violation was distinct from any breach of contract or related warranty issues, based on the defendant’s knowledge of defects and persistent, unfounded assurances that nothing was wrong, which were in essence, misrepresentations.
Willfulness, Knowledge, and Multiple Damages
The Appeals Court upheld the award of treble damages, noting that multiple damages under Chapter 93A were warranted based on the egregiousness of the conduct. The Appeals Court was bound by the trial judge’s findings of fact, which were supported by the evidence and all reasonable inferences drawn from that evidence. Here, the evidence was sufficient to prove willfulness and knowledge to support multiple damages.
The Appeals Court contrasted this case with VMark Software, Inc. v. EMC Corp., where the defendant “acted in good faith in its dealings with the plaintiff” and fully expected the product would function as represented. The defendant in that case also was “persistently ready and willing, though ultimately unable, to correct” the issue. Thus, in VMark Software, multiple damages were not appropriate.
Key Takeaways
This decision underscores that Chapter 93A findings are highly fact-specific. Courts will assess both the unfairness of the conduct and the willfulness of the violation under the totality of the circumstances when determining liability and damages. Also, in the context of dealings with customers, the decision underscores the importance of attempting to resolve problems in good faith and not giving customers the “runaround.”

CPSC Announces “Record-Breaking Week” of Enforcement Actions Against Chinese Manufacturers

On May 15, 2025, the Consumer Product Safety Commission (CPSC or Commission) announced a “record-breaking week” of enforcement actions against “foreign violators.”[1] Namely, the Commission announced 28 separate product safety recalls and warnings for products manufactured in China, including a “first-of-its-kind enforcement sweep of off-brand Chinese faucets found to leach lead and other contaminates into U.S. drinking water.”[2] Many of these actions were taken “unilaterally,” meaning the Commission issued press releases warning consumers of potentially hazardous products without final approval from the products’ manufacturer or retailer.
The CPSC’s authority to take such unilateral action originates from Section 6(b) of the Consumer Product Safety Act (CPSA). Historically, the Commission’s use of unilateral action has been minimal. Companies typically find it advantageous to cooperate with the CPSC in disclosing hazards to the public. However, this recent “record-breaking week” may signify a more aggressive approach by the CPSC, particularly when it comes to foreign manufacturers that are arguably outside the CPSC’s immediate jurisdiction.
Unilateral Press Releases under the CPSA Section 6(b)
Section 6(b) governs the CPSC’s ability to publicly disclose information about consumer products, such as identifying the manufacturer and any product-specific information.[3] Before publicly disclosing this information, the agency must notify the company and provide it with an opportunity to correct, contest, or comment on the disclosure’s content.[4] The CPSC must give the company at least fifteen days to provide comments.[5] If, however, the CPSC disagrees with the company’s comments, the CPSC may unilaterally release information to the public—without the company’s final approval—so long as it has taken “reasonable steps” to ensure the information is accurate, fair in context, and reasonably related to the agency’s mission to protect the public.[6]
Section 6(b) proponents argue these safeguards are necessary to protect against reputational damage caused by false or inaccurate disclosures. Critics maintain its rigid framework delays potentially life-saving information from prompt public disclosure, with some arguing it should not exist at all. Even so, unilateral press releases could result in litigation, especially if the content turns out to be inaccurate.[7] Thus, the CPSC may delay the issuance of a unilateral press release to independently verify the information therein—which typically requires cooperation and further disclosure from the company.
Insight from the Commission
Previous statements made by Acting Chair Peter Feldman and Commissioner Douglas Dziak provide insight into their views on unilateral activity by the CPSC. In 2023 Peter Feldman publicly touted the Commission’s Section 6(b) powers stating, “The law provides due process for a firm to seek revisions of what it believes to be erroneous information. Nevertheless, the Commission is under no obligation to make edits if it disagrees.” Further, in 2024, the CPSC refused to retract a unilateral statement by Commissioner Richard Trumka encouraging retailers to refrain from selling certain weighted infant sleep products. The manufacturer of those products complained Trumka’s statement violated Section 6(b) procedures, compelling a response from both Feldman and Dziak: “We do not take such relief lightly” and “the publication of the statements constitutes final agency action. Given the procedural deficiencies in this matter, we believe that the relief sought is best obtained through an Article III court.”[8] Now, with Acting Chair Feldman at the helm, it may not be a surprise that the CPSC is turning to this regulatory tool with more frequency, particularly in instances involving products made in foreign countries.
Implications for Domestic Stakeholders and Foreign Manufacturers
For domestic importers, distributors, and retailers of foreign products, the increased risk of unilateral press releases may present some challenges. If a foreign supply partner fails to meet U.S. safety standards and refuses to cooperate with the CPSC, the burden of compliance may fall on the U.S. entity. The CPSC may also leverage the threat of a unilateral press release naming the domestic retailer to compel cooperation, even when the foreign manufacturer may be the more appropriate focus for the violation.
Given the CPSC’s increased exercise of its unilateral authority, particularly with respect to products manufactured abroad, companies that import, distribute, or sell consumer products—especially those sourced from foreign manufacturers—should perform the appropriate vetting and due diligence, verifying product safety at the outset of the supply chain. In addition—and to the extent possible—domestic stakeholders who import from abroad should work to include provisions in supply contracts that require foreign suppliers to cooperate with CPSC inquiries and recalls.
[1] The CPSC’s official statement is available here: https://www.cpsc.gov/Newsroom/News-Releases/2025/CPSC-Sets-New-Record-for-Safety-Notices-Protecting-American-Families-and-Leveling-the-Playing-Field-for-American-Business#:~:text=WASHINGTON%2C%20D.C.%20%E2%80%93%20This%20week%2C,weekly%20high%20for%20safety%20warnings.
[2] Id.
[3] See 16 C.F.R. Part 1101.
[4] 16 C.F.R. § 1101.1(b)(1).
[5] Id.
[6] 16 C.F.R. Part 1101 Subpart D. The CPSC must first warn the company of its decision to do so and wait an additional five days before releasing the contested information to the public. 16 C.F.R. § 1101.25.
[7] See 16 C.F.R. § 1101.1(b)(3).
[8] The full statement can be found on the CPSC website: https://www.cpsc.gov/About-CPSC/Commissioner/Douglas-Dziak-Peter-A-Feldman/Statement/Statement-of-Commissioners-Peter-A-Feldman-and-Douglas-Dziak-on-the-Retraction-of-Infant-Sleep-Products-Statements.

Documents Show EPA Wants to Erase Greenhouse Gas Limits on Power Plants

The Environmental Protection Agency (EPA) has reportedly drafted a plan to eliminate all limits on greenhouse gases from coal and gas-fired power plants in the US. In its proposed regulation, the agency argued that greenhouse gases from power plants “do not contribute significantly to dangerous pollution” because they are a small and declining share of global emissions.
“The argument is a solid argument,” Bracewell’s Jeff Holmstead, who served in the EPA during both Bush administrations, told The New York Times.
But he wondered if it would hold up under a legal challenge. “I just don’t know if you’re contributing 3 percent of greenhouse gas emissions the court will say ‘that’s not significant’ when there’s hardly anybody that contributes more than that.”

WAR OF ATTRITION: Lead Seller Stuck in TCPA Suit After Settling with Litigator Wins Transfer of Third-Party Suit

Interesting little case for you folks today.
Any time you are in a TCPA class action that involves multiple parties– such as when a lead seller makes calls and then transfers the calls to a buyer who is subsequently sued– the defendants need to work together to avoid a terrible mistake.
The mistake– one party trying to settle out with the Plaintiff alone.
Why is this such a mistake?
Well, first it just funds the plaintiff’s ability to fight the lawsuit against the remaining parties. So it creates a “no lose” situation for the plaintiff and his lawyers.
But that’s just the half of it.
Most of the time the settling defendant isn’t actually out of the case at all– they get sucked back in by the other defendants who pull them down like the proverbial crabs in a pot.
For instance in Katz v. Allied First Bank, 2025 WL 1489176 (N.D. Ill May 24, 20245), Katz originally sued both Allied First Bank– the lead buyer–and Consumer Nsight– the lead seller– for calls allegedly made by CN without consent.
CN thought it would be smart to settle their claims with Katz and leave Allied holding the bag.
So silly.
Although CN ended up dismissed by Katz it was immediately sued by Allied and is now stuck in the case.
Except rather than fight out the claim in the same proceeding CN made another mistake and has asked–and was granted– a transfer of the suit.
In Katz the Court determined CN was not subject to personal jurisdiction in Illinois where the case was brought. So now CN will be sued in either Florida or Arizona, which is a hollow victory. Rather than being present to help defend against the underlying suit Katz brought it is now going to be fighting a residual lawsuit in a court room thousands of miles away.
Not smart in my view.
So what should have happened?
Well CN should have used its willingness to settle to push Katz to a global resolution and should have worked with Allied to get it done. It Allied really wanted to fight it should have negotiated a release from Allied before settling with Katz.
Instead all CN has accomplished is feeding Katz to make sure he can pursue his case against Allied– and by extension Allied’s case against CN.
Just a terrible move IMO.
In any event we will keep an eye on this.
Pretty clear take aways:

Lead purchases continue to be risky so make sure you know and trust your partners!
Do NOT settle a case and expect to walk away if there are other parties involved. Negotiate the deal globally or arrange a release from co-defendants.

Federal Take It Down Act Targeting Revenge-Porn Becomes Law

On May 19, 2025, President Donald Trump signed into law the Take It Down Act (S.146). The federal legislation criminalizes the publication of non-consensual intimate imagery and AI-generated pornography. It comes following approximately forty states already enacting legislation targeting online abuse.
What are the Take It Down Act’s Requirements?
The federal Take It Down Act creates civil and criminal penalties for knowingly publishing or threatening to share non-consensual intimate imagery and computer-generated intimate images that depict real, identifiable individuals. If the victim is an adult, violators face up to two years in prison. If a minor, up to three years.
Social media platforms, online forums, hosting services and other tech companies that facilitate user-generated content are required to remove covered content within forty-eight hours of request and implement reasonable measures to ensure that the unlawful content cannot be posted again.
Consent to create an image will not be a defense.
Exempt from prosecution are good faith disclosures or those made for lawful purposes, such as legal proceedings, reporting unlawful conduct, law enforcement investigations and medical treatment.
What Online Platforms are Covered Under the Take It Down Act?
Covered Platforms include any website, online service, application, or mobile app that that serves the public and either: (i) provides a forum for user-generated content (e.g., videos, images, messages, games, or audio), or (ii) in the ordinary course of business, regularly publishes, curates, hosts or makes available non-consensual intimate visual depictions.
Covered Platforms do not include broadband Internet access providers, email services, or online services or websites with primarily preselected content where the content is not user-generated but curated by the provider – and interactive features are merely incidental or directly related to the pre-selected content.
What are the Legal Obligations for Covered Online Platforms?
The Take It Down Act requires covered platforms to ensure compliance via, without limitation: (i) providing a clear and accessible complaint and removal process; (ii) providing a secure method for secure identity verification; and (iii) removing unlawful content and copies thereof within forty-eight hours of receipt of a verified complaint.
The new law also contained recordkeeping and reporting requirements.
While not expressly required, platforms are well-advised to address content moderation filtration policies. Reasonable efforts are, in fact, required to identify and remove any known identical copies of non-consensual intimate imagery.
Website agreements, as well as reporting and removal processes are amongst the legal regulatory operational compliance areas that warrant consideration and attention.
Who is Empowered to Enforce the TAKE IT DOWN Act?
The Federal Trade Commission has been authorized to enforce the Take It Down Act notice and takedown requirements against technology platforms that fail to comply. Violations are considered deceptive or unfair.
Good faith, prompt compliance efforts may be considered a safe harbor and a mitigating factor for platforms in the context of regulatory enforcement. Internal processes that document good faith compliance efforts, including the documentation of all takedown actions, should be implemented in order to avail oneself of the safe harbor.
Removal and appeals processes must be implemented on or before May 19, 2026.
Takeaway: Covered online platforms including, but not limited to, those that host images, videos or other user-generated content should consult with an FTC and State Attorneys General Defense and Investigations to discuss compliance with the Act’s strict takedown obligations and so in advance of the effective date in order to minimize potential liability exposure.

New York Attorney General Advances Consumer Protection FAIR Act Intended to Bolster GBL Section 349

In March 2025, Office of the Attorney General for the State of New York introduced the Fostering Affordability and Integrity Through Reasonable (“FAIR”) Business Practices Act in the State Senate and State Assembly. The proposed legislation is intended to revise Article 22-A of New York’s General Business Law.
The FAIR Act is designed to expand and strengthen consumer and small business protections, in part, by amending New York’s General Business Law §349 to also cover “unfair” and “abusive” practices, rather than just “deceptive” practices. Many other states have already enacted UDAP statutes. The bill may foreshadow what is to come from numerous state consumer protection enforcers as federal consumer protection enforcement is being rolled back and policy under the current administration remains uncertain.
As drafted, the program bill would provide the New York Attorney General and private plaintiffs the ability to seek enhanced civil penalties and restitution in amounts significantly more than available statutory damages pursuant to New York General Business Law Section 349. The FAIR Act would significantly increase statutory damages available under GBL §349 from $50 to $1,000, and permit recovery of actual and punitive damages. Penalties for unfair, deceptive or abusive practices could potentially include penalties of up to $5,000, per violation. Knowing or willful violations could result in penalties totaling the greater of $15,000 or three times the amount of restitution, per violation. Prevailing plaintiffs in private actions would also be permitted to recover attorneys’ fees and costs.
Analogous to federal policy, the proposed legislation provides for enhanced civil penalties for harm to vulnerable people, veterans and those with limited English proficiency. The FAIR Business Practices Act contemplates stopping lenders, including auto lenders, mortgage servicers, and student loan servicers, from deceptively steering people into higher cost loans. It would purportedly reduce unnecessary and hidden fees and stop unfair billing practices by health care companies.
The bill would also permit the NY AG and private plaintiffs (individuals, small businesses and non-profits) to enforce even a single instance of unfair, deceptive and abusive acts and practices, including, but not limited to, false advertising. Moreover, its prohibitions apply regardless of whether the act or practice is “”consumer-oriented,” possesses a “public impact,” or is part of a “pattern of conduct” – judicially imposed limitations that presently exist pursuant to GBL §349.
“This legislation will strengthen New York’s consumer protection law, GBL §349, to protect New Yorkers from a wide array of scams, including deed theft, artificial intelligence (AI)-based schemes, online phishing scams, hard-to-cancel subscriptions, junk fees, data breaches, and other unfair, deceptive, and abusive practices. Forty-two other states and federal law already prohibit unfair practices, making New York’s current law both antiquated and inadequate,” according to the NY Office of the Attorney General.
New York’s current consumer protection law, GBL §349, currently prohibits only deceptive business acts and practices, not unfair or abusive acts by companies and individuals. The FAIR Business Practices Act is designed to protect New Yorkers from unfair and abusive business acts, such as:

The imposition of hidden “junk fees” in various industries
Companies that make it difficult for consumers to cancel subscriptions
Student loan servicers that steer borrowers into the most expensive repayment plans
Car dealers that refuse to return a customer’s photo ID until a deal is finalized and charge for add-on warranties that the customer did not actually purchase
Nursing homes that routinely sue relatives of deceased residents for their unpaid bills despite not having any basis for liability
Companies that take advantage of consumers with limited English proficiency and obscure pricing information and fees
Debt collectors that collect and refuse to return a senior’s Social Security benefits, even though they are exempt from debt collection
Health insurance companies that use long lists of in-network doctors who turn out not to accept the insurance

The proposed legislation reflects the federal Consumer Financial Protection Act that prohibits unfair, deceptive or abusive acts and practices (“UDAAP”).
The Fair Business Practices Act provides specific definitions for the following terms:

Unfair: An act or practice is considered unfair when it causes or is likely to cause substantial injury to a person, the injury is not reasonably avoidable by such person, and the injury is not outweighed by countervailing benefits to consumers or competition. Note, however, that the FAIR Act’s definition of “unfair” does not possess a provision similar to the CFPA’s § 5531(c)(2) that permits regulatory agencies to weigh public policy when assessing whether an act or practice is unfair.
Deceptive: An act or practice is deceptive when the act or practice misleads or is likely to mislead a person and the person’s interpretation of the act or practice is reasonable under the circumstances.
Abusive: An act or practice is abusive when it materially interferes with the ability of a person to understand a term or condition of a product or service, or it takes unreasonable advantage of (i) a person’s lack of understanding of the material risks, costs, or conditions of the product or service; (ii) a person’s inability to protect such person’s interests in selecting or using a product or service; or (iii) a person’s reasonable reliance on a person covered by this section to act in such person’s interests.

New York business groups have criticized the consumer protection bill intended to strengthen consumer protection against deceptive practices such as junk fees and hard-to-cancel subscriptions. Business groups are aggressively resistant to the program bill, asserting that the legislation would be exploited, resulting in frivolous and abusive litigation that will weaken New York’s ability to attract and keep businesses.
Affirmative defenses to the Fair Business Practices Act could potentially include, without limitation, a private plaintiff meeting minimum threshold standing requirements, the alleged harm being capable of remedy via federal securities or intellectual property laws, and/or the alleged harm arising during the course of a high-value experienced commercial transaction and directed to the involved parties only. Contact a States Attorney General law firm if you or your business are the subject of a New York State or other State Attorney General subpoena or inquiry.
The Act is intended to expand consumer and small business protections, and enhance the scope of available remedies. If passed, it is anticipated that the law will result in a dramatic increase in private consumer lawsuits, and New York State Attorneys General investigation and enforcement.
Takeaway: New York’s existing consumer protection law is primarily governed by GBL §349 which focuses primarily on “deceptive” acts and practices. According to the New York AG, GBL §349 is antiquated and insufficient to adequately protect New Yorkers. Businesses operating in New York should consult with an Attorney General defense lawyer and monitor the progress of the FAIR Act. As drafted, the bill would increase the damages available in a private right of action from the greater of $50 or actual damages under current law to $1,000 in statutory damages, plus the aggrieved person’s actual damages, if any. In cases involving willful or knowing violations, courts would be mandated to award treble damages, reasonable attorneys’ fees and costs to a prevailing plaintiff. The Act would also permit class action lawsuits to recover actual, statutory or punitive damages if the prohibited act or practice has caused damage to others similarly situated. The availability of supplemental civil penalties for vulnerable persons would also be significantly expanded. If enacted into law, an experienced State Attorneys General law firm can assist with the implementation of business practices designed to comply with applicable New York State legal regulatory requirements, including, but not limited to additional restrictions relating to “unfair” and “abusive” acts or practices, and the review of applicable business and advertising practices.

Texas AG Announces $1.375 Billion Settlement with Google for Privacy Violations

On May 9, 2025, Texas Attorney General Ken Paxton announced a $1.375 billion agreement in principle to settle cases it filed against Google in 2022 alleging that Google unlawfully collected, stored and used certain personal data of Texans without consent, including location information, biometric identifiers and web browsing activity. More specifically, according to the AG’s allegations, Google (1) continued to collect and use precise location data even when users disabled location services, (2) misled users to think that activity would not be tracked when using the “Incognito” mode in Google’s Chrome browser, and (3) captured and used biometric identifiers, such as voiceprints and facial geometry, in violation of the Texas Capture or Use of Biometric Identifier Act through products such as Google Photos and Google Assistance.
A press release from the Texas AG’s Office stated that the settlement delivers “a historic win for Texans’ data privacy and security rights. . . . To date, no state has attained a settlement against Google for similar data-privacy violations greater than $93 million. Even a multistate coalition that included forty states secured just $391 million — almost a billion dollars less than Texas’s recovery.”
A Google spokesperson said in a statement that the agreement “settles a raft of old claims, many of which have already been resolved elsewhere, concerning product policies we have long since changed.” The spokesperson said that Google is pleased to put the claims behind them and will continue to build robust privacy controls into Google services.

FTC Extends ‘Click-to-Cancel’ Rule Deadline

On May 9, 2025, the Federal Trade Commission (FTC) voted to extend the compliance deadline for the Negative Option Rule by 60 days. The Rule, sometimes called the “Click-to-Cancel Rule,” will now be effective July 14, 2025.
In a statement regarding the extension, the FTC explained that, in its view, companies need additional time to address the complexities of the Click-to-Cancel Rule. “Having conducted a fresh assessment of the burdens that forcing compliance by [May 14, 2025] would impose, the Commission has determined that the original deferral period insufficiently accounted for the complexity of compliance.”
Background
On Oct. 16, 2024, the FTC announced its final “Click-to-Cancel” Rule for subscription services and other negative option offers. The rule requires sellers to make it as easy for consumers to cancel subscriptions as it was to sign up for them. The rule also changes businesses’ marketing, disclosure, consent, and recordkeeping requirements and gives the FTC the authority to seek redress and civil penalties for rule violations.
The rule amends the FTC’s 1973 Negative Option Rule. In a press release issued at the time the final rule was issued, the Commission explained it was “modernizing” the Negative Option Rule “to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs in an increasingly digital economy where it’s easier than ever for businesses to sign up consumers for their products and services.” The Commission also explained that it “receives thousands of complaints about negative option and recurring subscription practices each year,” with the number of complaints “steadily increasing over the past five years.”
The Rule
Negative Option Features
The rule applies to “negative option features.” Negative option features are contract provisions “under which a consumer’s silence or failure to take affirmative action to reject a good or service or to cancel the agreement is interpreted by the negative option seller as acceptance or continuing acceptance of the offer.”
Negative option features are widely used. They include “prenotification plans,” like book-of-the-month clubs, in which sellers first offer and then send—and charge for—a good if the consumer takes no action to decline the offer. They include “continuity plans,” like bottled-water delivery, in which consumers agree in advance to receive period shipments of goods or provision of services until they cancel the agreement. They include “automatic renewals,” like magazine and streaming service subscriptions, in which sellers automatically renew consumers’ subscriptions when they expire, unless consumers affirmatively cancel the subscriptions. And they include “free trials” in which goods or services are offered for free (or at a reduced price) for a trial period and, after the trial period, at a higher price unless consumers affirmatively cancel or return the goods or services.
Compliance Requirements
The rule defines four practices as unfair and deceptive within the meaning of Section 5 of the FTC Act.

1.
Misrepresentations. The rule prohibits negative option sellers from misrepresenting, expressly or by implication, any material fact, including any fact regarding the negative option feature or the cost, purpose or efficacy, health, or safety of the underlying good or service.

2.
Disclosures. The rule requires negative option sellers to clearly and conspicuously disclose, prior to obtaining the consumer’s billing formation, all material terms, including, but not limited to, the material terms relating to the negative option offer.

3.
Consent. The rule requires negative option sellers to obtain the consumer’s express, informed consent to the negative option feature, separately from any other portion of the transaction and before charging the consumer—for instance, via a separately presented check box.

4.
Easy Cancellation. The rule requires negative option sellers to provide a simple cancellation mechanism for consumers to cancel the negative option feature, with that mechanism being “at least as easy to use as the mechanism the consumer used to consent” to the negative option feature. Moreover, the cancellation mechanism must be provided through the same medium the consumer used to sign up for the negative option feature, and cannot be only a live or virtual representative, like a chatbot. That is, if consumers sign up for a service online, they cannot be required to interact with a live or virtual representative, like a chatbot, to cancel.

Takeaways
With the rule’s new compliance deadline now set for July 14, 2025, businesses should take this additional time to review their current negative option offers and develop remediation plans, if necessary, to comply with the rule—and with additional state law requirements that apply to negative option features.

NY DOH Publishes Electronic Material Health Care Transaction Reporting Form, Increasing Disclosure Requirements to Include Potentially Sensitive Business Information

On May 15, 2025, the New York State Department of Health (“DOH”) announced the launch of the electronic Material Transaction Reporting Form for health care transactions (“Electronic Form”). To assist reporting entities in preparing their submissions, the DOH has also released a list of all questions included in the Electronic Form.
Collectively, the reporting requirements set forth in the Electronic Form appear significantly more extensive than those imposed by other states, including California’s health care transaction reporting framework. Notably, the Electronic Form includes obligations to disclose potentially sensitive business information, such as investor materials.
Existing Statutory Authority
Proskauer has tracked the evolving reporting obligations in a series of posts, including one published last month that discussed the latest DOH guidance concerning the reporting obligations.
Pursuant to PHL § 4552, a health care entity shall submit to the DOH “written notice, with supporting documentation as described below and further defined in regulation developed” by the DOH. Such written notice “shall include, but not be limited to:”

The names of the parties to the material transaction and their current addresses;
Copies of any definitive agreements governing the terms of the material transaction, including pre- and post-closing conditions;
Identification of all locations where health care services are currently provided by each party and the revenue generated in the state from such locations;
Any plans to reduce or eliminate services and/or participation in specific plan networks;
The closing date of the proposed material transaction; and
A brief description of the nature and purpose of the proposed material transaction.

As of the publication date of this post, the DOH has not promulgated regulations concerning the law. Nevertheless, the Electronic Form outlines a range of documents and information that reporting entities must submit to the state as part of a material transaction report.
Reporting Obligations to Consider
Below are certain categories of information requested in the Electronic Form that may raise particular concerns for investors and sponsors. Some of the requested categories are sensitive in nature, and careful attention should be paid to ensuring that the DOH treats the submitted information as confidential. Other categories of requested information may require significant effort to analyze and prepare a response, particularly for larger enterprises.

Reporting Obligation Contained in Electronic Form
Impact and Considerations

Part 2, Section A.10-Provide the identities of and interrelationships among the Party and all persons known to control or to be controlled by or under common control with the Party, in a chart that clearly presents the relationships.
-Additionally, the organizational chart must identify (1) voting percentage: the percentage of voting securities for each person identified in the organizational chart and (2) other control: if control of any person is maintained other than by the ownership or control of voting securities, then indicate the basis of such control for each relevant party identified in the organizational chart; as to each person, indicate the type of organization (e.g., corporation, trust, partnership) and the State or other jurisdiction of domicile.
The form appears to require broad disclosure of ownership and control rights of each Party. Of note, the form asks for the disclosure of “all persons known to control or to be controlled by or under common control with the Party,” which may require analysis and review in highly complex, sponsor-backed deal structures to disclose affiliates of the Party.

Part 3, Section B-C-Projected annual revenue (in $ millions) of the Surviving Entity over the next three years.
-Provide information on all transaction activity in the past 3 years by each Party to this Material Transaction.
Any “Party” to the “Material Transaction” must report historic “transaction activity.” The Electronic Form does not clarify whether the disclosure obligation concerns all other historic Material Transactions, or if the DOH expects a party to disclose all historic transactions involving health care entities in the state, regardless of size over the prior 3 years. The historic transaction reporting obligation may require careful review and consideration by entities who consistently engage in transactions in the ordinary course of business.

Part 3, Section D, Subparagraphs (c)-(d)-How many transactions has the Surviving Entity from this Material Transaction engaged in within the prior 12 months (from the anticipated close of this Material Transaction) that have increased gross in-state revenues?
-Considering the most recent of these transactions: Submit the Surviving Entity’s standalone gross in-state revenue before the transaction’s close date. Submit the combined gross in-state revenue of the Parties to this transaction as of the transaction’s close date.
Notice: Any series of transactions designed to evade the threshold provisions of this article shall be deemed a Material Transaction and subject to the notice requirements of Article 45-A of the Public Health Law.
In posing this question, it appears that the DOH is requiring parties to submit information as to prior transactions in a 12-month period in order to potentially determine whether the Parties have complied with the reporting obligations.

Part 3, Section EFor all Parties, submit Financial Statements in conformity with U.S. Generally Accepted Accounting Principles (“GAAP”) or other accounting principles prescribed or permitted under law (audited with an independent CPA’s opinion thereof, preferred but not required) of the Parties to this Material Transaction as of the end of the last two fiscal years.
These financial statements shall include the following components: Balance Sheet; Income Statement; Statement of Cash Flows; Notes to Financial Statement (Narrative); and For the Surviving Entity, also submit projected financial statements dated one day after closing.
The Electronic Form requires all Parties to the Material Transaction to submit financial information.

Part 4, Section A, Subparagraph (a)-(c)-Describe the health care services provided by each Party to the Material Transaction at all locations of operation within New York.
-Does any party to this transaction directly or indirectly employ physicians? If so, each party that directly or indirectly employs physicians should fill out the “Physician Locations Spreadsheet” and upload it in question A(d).
The question asks an entity to report all locations in which it operates in New York. For each location, the Electronic Form asks for gross in-state commercial, Medicare, Medicaid, and other revenue. In addition, if any Party to the Material Transaction employs physicians, the entity is to upload an additional worksheet, titled “Physician Location Spreadsheet”. The spreadsheet requires detailed reporting of physician relationships, including whether the physician is employed or otherwise affiliated with the Party, including their NPI, and hours worked at each location.

Part 4, Section BWhich best describes this transaction?
An acquisition resulting in a Surviving Entity-For each acquired entity, in the 12-month period preceding the proposed transaction, what is the average contracted commercial payor rate for each service line identified in Question A (a) (v) (“Services Offered at Location”)? Your response should be expressed in a dollar ($) amount.-For the surviving entity, what is the anticipated overall contracted commercial payor rate by service line in the year immediately following the Material Transaction close date for the Surviving Entity as a result of this transaction?
A merger or other transaction resulting in the formation of a New Entity (“NewCo”)-For each entity involved in the formation of NewCo, in the 12-month period preceding the proposed transaction, what is the average contracted commercial payor rate for each service line identified in Question A (a) (v) (“Services Offered at Location”)? Your response should be expressed in a dollar ($) amount-For the NewCo, what is the anticipated overall contracted commercial payor rate increase in the year immediately following the Material Transaction close date as a result of this transaction? For any commercial rate increases that are expected as a result of the deal, describe in detail (including any differential in rate increases expected by service and/or location, and the degree of the differential).
The question requires the reporting entity to submit confidential and detailed information concerning health plan reimbursements for each “service line.” The Electronic Form does not define what a “service line” is, a term traditionally utilized by hospitals to describe their business segments.

Part 5-Required Documents: Definitive Transaction Document(s) (e.g., Asset Purchase Agreement); Charter and Bylaws; Operating Agreements or Partnership Agreement(s); and Financing Agreements or documents.
-As Applicable Documents: Fairness Opinions, Offering Memoranda, Private Placement Memoranda, Investor Disclosure Statements, and Other Investor Solicitation Materials.
The broad document request covers a host of documents that are treated as highly confidential in the ordinary course of business.

PROFESSIONAL NEGLIGENCE?: Vonage Failed to Honor DNC Requests in a Manner Leading to TCPA Class Action New Lawsuit Claims

So I was reviewing a $90+MM telecommunications services contract for a major brand yesterday.
$90MM folks.
The money in this industry is insane. But so are the stakes.
Fail to set up your system right and face a TCPA class action with damages that may dwarf an 8 figure contract.
Here’s a cautionary tale.
A company called YF FC Operations, LLC, dba YouFit was sued in a TCPA class action down in Florida by Jeniel Petrovich and Mauricio Cardero.
The essence of the allegations, apparently, was that YouFit failed to honor a DNC request received by YouFit via text message.
Not good.
But YouFit didn’t take the issue lying down.
Instead it sued its telecommunications provider– Vonage– for indemnity and professional negligence claiming that it was Vonage’s fault the stop notifications at issue in the underlying TCPA class action.
Per YouFit’s complaint:
On or around July 22, 2023, YouFit engaged Vonage to perform an integration of its systems with YouFit’s CRM provider Hubspot so that YouFit could communicate with its customers and potential customers using a short code (the “Integration”) rather than its toll-free number. The Integration was intended to monitor for the receipt of opt-out text messages from YouFit customers and, upon receipt of an opt-out text message, the customer’s request would be noted in Hubspot and further communication via text would end.
Because of Vonage’s actions, the opt-out messages of Petrovich and Cardero, and potentially thousands of other putative class members, were not recorded in Hubspot as was intended by the Integration. Subsequently, Vonage sent text messages potentially in violation of the TCPA and/or the FTSA.
Now let me just say, I HATE the content of these paragraphs to the extent they essentially concede away critical issues in the TCPA suit.
Why would you admit that “potentially thousands” of individuals received illegal text messages? Literally no reason to do that. Allegations that if anybody received text messages–which should be denied– it was Vonage’s fault would have been sufficient.
But I digress.
The point is that YouFit went straight for the jugular here against Vonage. The Complaint goes on to allege that Vonage shirked its responsibilities to YouFit to defend the suit:
After the Class Action was served on YouFit, YouFit advised Vonage of the Class Action and requested that Vonage assist in the defense and resolution of the Class Action in light of Vonage’s actions. Vonage rejected the request.
Now I am going to guess that Vonage had a contract that disclaimed all liability here, so it will be very interesting to see how this plays out.
Complaint here: Vonage Removal
The bottom line is companies need to be working hand in glove with their telecom platforms to avoid this sort of thing and retaining knowledgeable counsel.
CRITICAL to keep in mind the following when setting up an outreach campaign and to EXPRESSLY set these items out in the MSA or IOs:

Which party is responsible for providing phone numbers to be called? Where will they be sourced from? What level of consent will be required? How will that consent be documented and stored?
Which party is responsible for supplying the DIDs (outpulse phone numbers)? How will they be provisioned? How long will they be kept? Is the use of local touch permitted in the jurisdiction to which calls are made? Who is responsible for assuring that?
Which party is responsible for ingesting, tracking and honoring revocation notifications? How broadly will those revocations be treated? How will multi-channel revocations be handeled?
Is the platform to be treated as an ATDS or regulated technology under the TCPA or state laws? If not, who has the risk associated with that assumption? If so, who has the responsibility to assure compliance with applicable consent rules?
Is AI to be used? If not, there should be a clear representation to that effect. If so, there should be a clear articulation of whose responsibility it is to assure training and accuracy of AI model, disclosure of AI usage, and properly documented consents and AI-specific opt outs.
Is telemarketing at issue here? If so, who has responsibility for TSR recordkeeping requirements?
Is outreach to be recorded or reviewed in real time either by the calling party or by any third-party vendor? If so a massive number of state level privacy laws may be triggered– particularly the anti-wiretapping statutes like the California Invasion of Privacy Act. CRITICAL to spot these issues and assign compliance responsibilities between the parties.

These are just a handful of the issues that need to be thought through in virtually any deal. If you’re not working with experienced counsel that knows how to work through these issues you could be in SERIOUS trouble.
Just ask YouFit.
And trust me, suing for indemnity after facing a potentially business-ending lawsuit is not where you want to be. Set expectations. Work with good partners. And, most importantly, work with good counsel. And you should be able to avoid these issues in the first place.