Raising the Bar: SEC Evaluating an Increase in Minimum AUM Threshold for Investment Adviser Registration
On April 8, 2025, Acting SEC Chairman Mark T. Uyeda gave a speech signaling that the SEC may revisit the current minimum assets under management (“AUM”) threshold for federal registration, potentially reducing the number of investment advisers required to register with the SEC. Though Uyeda’s time as Acting Chair has now ended due to the confirmation of Paul Atkins as SEC Chair, Uyeda’s willingness to raise the issue publicly suggests he expects Atkins will carry the initiative forward.
In his remarks at the Annual Conference on Federal and State Securities Cooperation, Uyeda stated that he had directed SEC staff to evaluate whether this threshold — unchanged since 2012 — remains appropriate given the current market and the SEC’s regulatory priorities. The specificity of the speech, and in particular the statement that he had asked the staff to evaluate the current framework, likely indicates that the proposal process has already begun.[1]
An increase in the minimum threshold could mean that currently SEC-registered investment advisers falling below the new threshold would withdraw their SEC registrations and register with state regulators or, alternatively, claim exemptions at the state level (if available). The prospect of state-level registration may be bittersweet for some investment advisers. While some advisers may be eager to escape from SEC jurisdiction, state regulators may be less familiar with the complex transactions, fund structures and terms and other market practices that are the norm across private funds. This could pose challenges, and an adviser’s experience can vary widely depending on the regulators with which it is registered.
Key Takeaways for Investment Advisers
Currently, investment advisers with more than $100 million in AUM[2] must register with the SEC unless an exemption applies (for example, exemptions are available for private fund advisers with AUM below $150 million, as well as for advisers to venture capital funds).
If the SEC were to increase the AUM threshold at which an adviser is required to register with the SEC (which it could accomplish through its current rulemaking authority under the Advisers Act), affected advisers that are currently SEC-registered or are claiming exemptions from SEC registration, but that have AUM below such new threshold, would be required to withdraw their SEC registrations or exemption filings and, if required, would register with applicable state regulatory authorities (unless an exemption applies at the state level, such as the state-level equivalents of the SEC’s “exempt reporting adviser” exemptions that have been adopted in many states).
This development is consistent with the broader theme in recent months of the SEC seeking to recalibrate certain rules to ease burdens on smaller firms.
Why the SEC may revisit the $100M AUM Threshold
Uyeda suggested that he believes that the current threshold may no longer reflect the intent behind the threshold, which aimed to reserve SEC oversight for larger investment advisers.
The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”)[3] increased the AUM-based registration threshold to its current level.[4] The purpose, as expressed at the time, was to decrease the number of advisers registered with the SEC. As a result of the law and associated rule changes, more than 3,000 investment advisers withdrew their SEC registration.
In his recent speech, Uyeda noted the number of SEC‑registered advisers has grown by approximately 45 percent since the last adjustment.[5] Uyeda suggested that it would be consistent with Congressional intent for certain “mid-sized” firms to be subject to registration at the state level instead of with the SEC.
Additional Proposal: Streamline Interplay of Federal and State Laws in Regulation of Securities Transactions
Uyeda also suggested re-evaluating the current system of federal pre-emption of state securities laws in connection with securities issuances, resales and other securities transactions. As he noted, the question of whether federal laws pre-empt state laws — which affects, among other things, whether an offering of securities by a private issuer must comply with state securities laws in addition to federal law — can be complicated, which can hinder capital formation. His suggestion is consistent with the theme of recalibration that has been emerging from the SEC over the past several months.[6]
Uyeda’s Remarks in Broader Context
Uyeda’s remarks are not a formal proposal but are a clear indication that this area is ripe for regulatory reform. This adds to a growing list of developments that investment advisers and issuers alike will be monitoring closely as the new administration continues to build momentum.
[1] While nothing is guaranteed, similar statements by previous Chairs have presaged later SEC actions. For example, in a 2021 speech to the Institutional Limited Partners Association, then-Chair Gensler stated that he had “asked the staff to consider” various recommendations that closely tracked the framework of the now-voided Private Fund Adviser Rules, and made similar statements that tracked the 2022 amendments to Form PF. Prior to that, Acting Chair Lee gave a speech signaling the beginning of the rulemaking process on the SEC’s Climate Rule, as well as amendments to Form N-PX that were later adopted and a proposal relating to fund and adviser ESG metrics.
[2] Or more than $25 million, for advisers whose home state would either not require them to register with the state or, if registered at the state level, would not be subject to examination by the state.
[3] There were, and remain, other reasons beyond AUM that can cause or permit an investment adviser to register with the SEC. For example, an investment adviser that would be required to register in numerous states is permitted to register regardless of AUM, and an investment adviser to a registered investment company is required to register regardless of AUM.
[4] The Dodd-Frank Act also removed the private adviser exemption, which exempted advisers with fewer than 15 clients from registration regardless of AUM. Advisers to private funds frequently were able to rely on this exemption from registration because the adviser’s clients are its funds and not the underlying investors.
[5] Though not directly noted in the speech, Uyeda has been associated with previous efforts by the SEC to update thresholds that result in additional regulatory oversight or obligations. For example, he was listed as a senior member of the team that drafted the 2020 proposal that would have raised the threshold to file Form 13F.
[6] The SEC is not the only financial regulator considering recalibration; in the UK, the Treasury Ministry recently called for input on a proposal that would significantly increase the threshold for full scope AIFM registration, as well as several related reforms.
‘I AM GOING TO ASK YOU NOT TO CALL MY HOUSE AGAIN”: Documents in TCPA Class Action Against Molina Healthcare Sealed– But It Doesn’t Seem Like that Will Help
So Molina Healthcare is facing a pretty serious TCPA class action up in Washington state.
At issue are claims a lady was tricked or duped or confused into switching to Molina from Aetna and then Molina kept calling her even after she said “I am going to ask you not to call my house again”–which is pretty clear in my view.
Plus Molina was using prerecorded calls which are automatically actionable when sent for marketing purposes without consent to either a cell phone or landline–not good for Molina.
Perhaps even worse news for Molina, they have #biglaw defending them against Avi Kaufman–one of the best class action attorneys in the nation. So I have a feeling I know where this is headed.
I mean, you can’t say BIG LOSS without big law…
But who knows, maybe they’ll pull off a big win. We’ll see.
The Plaintiff’s class certification effort is now fully briefed and the Court just issued an order sealing some of the material designated confidential by the parties. This means nosy operators of TCPA blogs can’t comb through all the records.
Too bad.
Sealing order is Ramey v. Molina, 2025 WL 1100632 (W.D. Wash March 20, 2025).
But what we do know is Molina (or someone acting on its behalf) allegedly called the Plaintiff and duped her into switching healthcare plans away from Aetna. When Plaintiff figured that out she switched back to Aetna but Molina kept calling. No way to know for sure if those facts are true.
Then again, according to Plaintiff’s expert Molina made hundreds of prerecorded calls to numbers within a sample set that were on the company’s internal DNC list. Plaintiff extrapolates there will be over 22,000 individuals in the full set who received approximately 200,000 prerecorded calls AFTER being asked to stop calling. Eesh.
No idea if any of this is true, of course, and a lot of the record is sealed but it seems Molina could be facing $1BB or so in exposure here. Eesh.
We’ll see what happens next.
But its just another example of how dangerous TCPAWorld can be folks. If you are using prerecorded calls to contact consumers you need to make absolutely sure your internal DNC practices are in great condition and be sure to retain TOP NOTCH TCPA counsel to defend any resulting class litigation.
Sixth Circuit Creates Circuit Split on Who is a “Consumer” Under Video Privacy Protection Act
The Video Privacy Protection Act (VPPA) is a federal law aimed at prohibiting the unauthorized disclosure of a person’s video viewing history. While the VPPA was originally enacted to prevent disclosure of information regarding an individual’s video rental history from businesses like Blockbuster in 1988, the explosion of the internet in the decades since has greatly expanded its potential reach, giving rise to countless lawsuits targeting businesses’ websites. One such case, involving the alleged disclosure of the plaintiff’s video viewing history through use of Meta’s data-tracking Pixel, was recently decided by the United States Court of Appeals for the Sixth Circuit, in a decision that serves to narrow the reach of the VPPA.
In a published opinion, the Sixth Circuit addressed the issue of who can be considered a “consumer” – and thus able to bring a claim – under the VPPA. The VPPA defines the term “consumer” to mean “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” Citing longstanding canons of statutory construction, the Sixth Circuit reasoned that, when read in context of its surrounding text, the phrase “goods and services” is limited to audiovisual goods and services. The plaintiff, a subscriber to 247Sports.com’s newsletter which contained links to videos that were accessible to anyone on the website, failed to allege that the newsletter itself was audiovisual material, and thus was not protected under the VPPA.
Notably, the Sixth Circuit’s decision was contrary to the conclusions previously reached by other Federal Courts of Appeals, specifically the Second and Seventh Circuits. Those courts had endorsed a broader interpretation of the term, considering a subscriber of any of the provider’s goods or services to be a “consumer” under the VPPA, regardless of whether the subscription was specifically for audiovisual materials. By defying this trend, the Sixth Circuit creates a circuit split that may be resolved by the Supreme Court of the United States. The defendant in the Second Circuit case on this issue has petitioned the Supreme Court to review the decision. Now, with a circuit split apparent, the Supreme Court may be more likely to intervene.
Against this uncertain backdrop, and with the wave of Meta Pixel and similar lawsuits continuing, businesses will need to carefully evaluate the operation of their websites and whether they may be subjected to a VPPA claim. The review should also include an analysis of the effectiveness of any consent provisions that the business may be relying on to avoid liability. Businesses should be aware of the risks presented by the entities they acquire or merge with whose data sharing practices may implicate the VPPA. To mitigate the risk of liability, due diligence in any such transaction should include a thorough review of the target company’s data practices, compliance with privacy regulations, and any ongoing or potential lawsuits tied to the use of tracking technology.
Outlining Critical MTS Cybersecurity Requirements
On January 17, 2025, the US Coast Guard published a final rule titled “Cybersecurity in the Marine Transportation System,” setting a baseline for cybersecurity standards. This rule, which is set to take effect on July 16, 2025, introduces mandatory cybersecurity measures for US-flagged vessels, Outer Continental Shelf facilities, and certain facilities regulated under the Maritime Transportation Security Act of 2002.
This article I co-authored with Andy Lee for MarineLink highlights the implications of the rule on the maritime transportation system. We recommend industry participants begin evaluating their current capabilities and developing comprehensive compliance strategies.
The integration of digital technologies and interconnected systems within the MTS has heightened vulnerability to cyber threats. Recognizing these risks, the USCG’s rule sets a baseline for cybersecurity standards, ensuring entities within the MTS can effectively detect, respond to, and recover from cyber incidents.
www.marinelink.com/…
NOW WE’RE TALKING!: Healthcare, Inc. Sues TCPA Plaintiff to Recover Damages for Frivolous Suit and I Love to See it
The only way we’re going to stop frivolous TCPA lawsuits– other than by deleting the most-abused TCPA provisions– is for victims of frivolous TCPA lawsuits to fight back.
And that is just what Healthcare, Inc. appears to be doing in Arizona right now.
In Healthcare, Inc. v. Doyle, 2025 WL 1094309 (D. Az April 11, 2025) a court refused to dismiss Healthcare’s suit against Doyle finding that the dispute is worth more than $75k for jurisdictional purposes– which is a pretty stunning finding all on its own.
But let’s back up and look at the facts here.
Per the court’s order:
Doyle [filed suit] in the District of New Jersey against HCIS for allegedly violating the Protection Act. (Id. ¶ 19.) Doyle alleged in his complaint that he received a call from an agent of HCIS and believed the call was both unconsented to and either prerecorded or otherwise artificial. (Id.) HCIS filed a motion to dismiss Doyle’s complaint for lack of personal jurisdiction and attached a declaration stating HCIS did not call the phone number listed in Doyle’s complaint. (Id. ¶ 20.) Doyle subsequently amended his complaint to change the listed defendants but did not address HCIS’s declaration. (Id. ¶¶ 21–22.) Doyle then voluntarily dismissed his complaint in New Jersey and refiled his complaint in the District of Arizona with no substantive changes. (Id. ¶¶ 24–27.)
Months after filing in Arizona and over eight months after filing his first complaint, Doyle advised HCIS that he listed the wrong phone number in all prior complaints. (Id. ¶ 28.) Upon receiving the correct phone number, HCIS checked its records and determined that someone filled out a Form with that phone number and Doyle’s first and last name. (Id. ¶¶ 28–31.) HCIS also determined the phone call described in Doyle’s complaint was made by a real person. (Id. ¶¶ 41–45.) HCIS then advised Doyle of these facts and attempted to compel arbitration with Doyle pursuant to the arbitration clause in the agreement embedded in the Form. 3 (Id. ¶¶ 32–48.)
While Doyle refused to engage in arbitration, he recognized the lack of a prerecorded message was fatal to his case and that it would be “pointless” to continue his litigation (Id. ¶¶ 51–54.) Doyle first attempted to engage in settlement negotiations, but they ultimately failed. (Id. ¶¶ 54–57.) Doyle nonetheless agreed to dismiss his complaint with prejudice. (Id.)
Get it?
Doyle filed a lawsuit in the wrong jurisdiction over the wrong phone number and on the wrong theory. By the time he figured it out it was months into the second lawsuit. He eventually dismissed the case but not before Healthcare, Inc. was out a bunch of money on fees.
Rather than take matters lying down, Healthcare, Inc. filed its own lawsuit against Doyle for, inter alia, fraud and malicious prosecution. Fun!
Doyle moved to dismiss arguing less than $75k was at issue in the suit so the federal court lacked jurisdiction but the Court disagreed. Healthcare, Inc.’s lawyers attested Healthcare spent more than $75k defending the prior suit– so the case moves on.
Doyle’s arguments were all focused on the merits of the suit but even a perfect defense would not deprive the court of jurisdiction. Since over $75k is at issue the suit moves forward.
Again love to see the aggressive posture by Healthcare, Inc. Will keep a close eye and see where this goes.
Insurance Cybersecurity Certifications: An (Updated) State Roundup
Over half of US states require annual compliance certifications from insurance providers. While the filing time frames for this year draw to a close, companies may want to keep them in mind not only for next year, but as a reminder of the information security programs that are expected to be in place.
When we last wrote about this, in 2021, only nine states (Alabama, Delaware, Louisiana, Michigan, Mississippi, New Hampshire, Ohio, South Carolina, and Virginia) had adopted certification obligations. Since then, 17 more states have followed suit, adopting the Insurance Data Security Model law (from which the obligations stem). These states are Alaska, Connecticut, Hawaii, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Minnesota, North Dakota, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Vermont, and Wisconsin. Additionally, while New York has not adopted the NAIC model law, it imposes a similar annual filing requirement.
Filing deadlines are set out below:
Deadline
States
February 15
Alabama, Alaska, Delaware, Kentucky, Louisiana, Michigan, Mississippi, Ohio, South Carolina, Virginia
March 1
New Hampshire, Wisconsin
March 31
Hawaii
April 15
Connecticut, Illinois, Indiana, Iowa, Maine, Maryland, Minnesota, New York, North Dakota, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Vermont
Those who might need to certify are those registered under the various state insurance laws. This includes insurance companies and insurance professionals, like agents and brokers. When making their filing, covered entities must certify that they have an Information Security Program in place. That program must include risk management and incident response procedures, as well as board oversight. Certification records and supporting materials need to be retained for five years after submission.
Putting it Into Practice: Those with insurance certification obligations should keep in mind the varying filing deadlines, as well as the accompanying obligations like having a compliant information security program in place.
Listen to this post
James O’Reilly also contributed to this article.
NEW NPRMS ON THE FCC’S UPCOMING APRIL AGENDA: Non-IP Caller ID Authentication Solutions and Clarifying Foreign Ownership Rules
Just last week the FCC announced the agenda for the upcoming April meeting on the 28th. During the meeting, the commission will review for consideration a couple of Notice of Proposed Rulemaking (NPRM), and two stood out to me.
First is considering an NPRM centered around Caller ID authentication for non-IP networks to block robocalls.
The FCC summarized the NPRM as, “proposes to develop a framework for evaluating whether non-IP caller ID authentication solutions are developed and reasonably available, as required by the TRACED Act, proposes to conclude that certain existing solutions satisfy those requirements, and proposes to require that providers that continue to rely on non-IP networks implement non-IP caller ID authentication solutions.”
The NPRM would aim to set in motion the following items:
Propose to establish criteria for evaluating whether non-IP caller ID authentication frameworks are developed, reasonably available, and effective, as required by the TRACED Act.
Propose to conclude, applying those criteria, that frameworks based on two existing non-IP caller ID authentication standards meet the TRACED Act’s requirements, and seek comment on frameworks based on a third standard.
Propose to repeal the continuing extension from caller ID authentication requirements granted to providers that rely on non-IP technology.
Propose to require that voice service providers, gateway providers, and non-gateway intermediate providers implement non-IP caller ID authentication frameworks in their non-IP networks and certify in their Robocall Mitigation Database filings that they have implemented such frameworks.
Propose to give providers that continue to rely on non-IP technology two years from the effective date of the rules to implement one or more non-IP caller ID authentication frameworks, and seek comment on how the proposed
The second is an NPRM to clarify foreign ownership rules, summarized by the FCC “that would set clear expectations about the Commission’s review under section 310(b) of the Act of foreign investment in common carrier wireless, aeronautical radio, and broadcast licensees to reduce unnecessary burdens on industry while continuing to protect the public interest, including national security, law enforcement, foreign policy, and trade policy.”
The fact sheet states the FCC has already adopted many of the practices outlined in the NPRM but has not codified them as legal rules. The NPRM is seeking to “codify definitions and concepts underlying the foreign ownership rules and practice and to streamline our review processes.”
The NPRM is hoping to clarify and codify the following for both broadcasters and common carrier licensees:
Propose to codify existing policy regarding which entity is the controlling U.S. parent;
Propose to codify the Commission’s advance approval policy regarding certain deemed voting interests;
Propose to require identification of trusts and trustees;
Propose to extend the remedial procedures and methodology to privately held companies;
Propose to add requirements regarding the contents of remedial petitions;
Seek comment on requiring the filing of amendments as a complete restatement to petitions for declaratory ruling;
Propose to clarify U.S. residency requirements; and
Seek comment on other potential opportunities to alleviate unnecessary regulatory burdens in the context of our foreign ownership review under section 310(b) of the Act.
It will be interesting to see if these two both move forward, we will be tuning in. You can check out the FCC meeting agenda here.
Congress Reintroduces the NO FAKES Act with Broader Industry Support
Congress has reintroduced the Nurture Originals, Foster Art, and Keep Entertainment Safe (NO FAKES) Act— a bipartisan bill designed to establish a federal framework to protect individuals’ right of publicity. As previously reported, the NO FAKES Act was introduced in 2024 to create a private right of action addressing the rise of unauthorized deepfakes and digital replicas—especially those misusing voice and likeness without consent. While the original bill failed to gain traction in a crowded legislative calendar, growing concerns over generative AI misuse and newfound support from key tech and entertainment stakeholders have revitalized the bill’s momentum.
What’s New in the Expanded Bill?
The revised bill reflects months of industry negotiations. Key updates include:
Subpoena Power for Rights holders: The revised bill includes a new right to compel online services, via court-issued subpoenas, to disclose identifying information of alleged infringers, potentially streamlining enforcement efforts and unmasking anonymous violators.
Clarified Safe Harbors: Both versions of the bill include safe harbor protections for online services that proactively comply with notice and take-down procedures, a framework analogous to the protections afforded to online service providers under the Digital Millenium Copyright Act (DMCA). The revised bill introduces new eligibility requirements for these protections, including the implementation of policies for terminating accounts of repeat violators.
Digital Fingerprinting Requirement: In addition to removing offending digital replicas following takedown requests, the revised bill requires that online services use digital fingerprinting technologies (e.g., a cryptographic hash or equivalent identifier) to prevent future uploads of the same unauthorized material.
Broader Definition of “Online Service”: The revised bill broadens the scope of the definition to explicitly include search engines, advertising services/networks, e-commerce platforms, and cloud storage providers, provided they register a designated agent with the Copyright Office. This expansion further ensures that liability extends beyond just the creators of deepfake technologies to also include platforms that host or disseminate unauthorized digital replicas.
Tiered Penalties for Non-compliance: The revised bill introduces a tiered structure for civil penalties, establishing enhanced fines for online services that fail to undertake good faith efforts to comply ranging from $5,000 per violation, up to $750,000 per work.
No Duty to Monitor: Unlike the prior version, the revised bill explicitly states that online services are not required to proactively monitor for infringing content, acknowledging the practical limitations and resource constraints of such monitoring. Instead, the responsibility is triggered upon receipt of a valid takedown notice, after which the online service must act promptly to remove or disable access to the unauthorized material to maintain safe harbor protections. This approach mirrors the notice-and-takedown framework established under the DMCA.
If enacted, the NO FAKES Act would establish nationwide protections for artists, public figures, and private individuals against unauthorized use of their likenesses or voices in deepfakes and other synthetic media. Notably, the revised bill has garnered broad consensus among stakeholders, including the major record labels, SAG-AFTRA, Google, and OpenAI.
While the bill seeks to create clearer legal boundaries in an era of rapidly evolving technology, stakeholders remain engaged in ongoing discussions about how best to balance the protection of individual rights with the imperative to foster technological innovation and safeguard First Amendment-protected expression. As the legislative process unfolds, debate will likely center on whether the bill’s framework can effectively address the complex legal and operational challenges posed by generative AI, while offering enforceable and practical guidance to the platforms that host and disseminate such content.
Importantly, the NO FAKES Act aims to resolve the challenges posed by the current patchwork of state right of publicity laws, which vary widely in scope and enforcement. This fragmented approach has often proven inefficient and ineffective in addressing inherently borderless digital issues like deepfakes and synthetic content. By establishing a consistent federal standard, the NO FAKES Act could provide greater legal clarity, streamline compliance for online platforms, and enhance protections for individuals across jurisdictions.
Listen to this post
Burdensome Portion of TCPA Rule Delayed Through April 2026
Last year, the Federal Communications Commission (“FCC”) issued a rule amending a portion of the Telephone Consumer Protection Act (“TCPA”). The amendments to rules [47 CFR 64.1200 § (a)(10)] were set to become effective on April 11, 2025 and designed to strengthen consumers’ ability to revoke consent under the TCPA by making the revocation process simple and easy. The rule change, however, was far-reaching and required callers to apply a revocation request made in response to one type of message to all future calls and texts.
In response to industry comments (particularly from financial institutions and healthcare organizations), the FCC has extended the effective date of Section 64.1200(a)(10), a specific and narrow portion of the amended rules through April 11, 2026, “to the extent that it requires callers to apply a request to revoke consent made in response to one type of message to all future robocalls and robotexts from that caller on unrelated matters.” See the Order, In the Matter of Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, No. DA 25-312 (Apr. 7, 2025).
The FCC repeatedly refers to this as a limited waiver, so the remaining portions of the rule and the other changes to Section 64.1200(a)(10) will go into effect as planned on Friday April 11, 2025.
There is some ambiguity as to what requirements are extended because the FCC’s announcement did not include an amendment showing how Section 64.1200(a)(10) would be codified. Based on the Order’s plain language, by April 11, 2025 callers will still need to:
process requests for which the party is seeking an opt-out within a reasonable time not to exceed 10 business days, as opposed to the current outer limit of 30 days;
recognize and process the expanded list of opt-out commands (“STOP”, “QUIT”, “END”, etc.) and any other opt-out request made using any reasonable method to clearly express a desire not to receive further calls or texts;
allow users to opt out of exempted texts or calls if they request an opt-out in response to one of those messages; and
provide a clear, conspicuous disclosure and an alternate, reasonable method of opting out if two-way texting isn’t supported, so that the party knows how to opt out in response to a text.
Fortunately, by extending the portion of the rule that would have required callers to apply a revocation request made in response to one type of message to all calls and texts messages from that caller, the FCC has deferred the most onerous portion of the 47 C.F.R. § 64.1200(a)(10) changes. Despite the extension, callers should confirm that they are in compliance with the remaining portions as of April 11, 2025 and continue preparing for the 2026 effective date of the deferred revocation requirements.
President Trump Orders Closure of the Department of Education: What Schools and EdTech Companies Need to Know About FERPA
On March 20, 2025, President Donald Trump issued Executive Order 14242 directing the Secretary of Education “to the maximum extent appropriate and permitted by law, [to] take all necessary steps to facilitate the closure of the Department of Education[.]” This long-expected but dramatic move has educational institutions and education technology (EdTech) vendors—companies that provide services such as online homework, grade tracking, and teaching materials—wondering what now happens to the millions of students’ education records they maintain. More importantly for would-be brokers of student data, does the sudden disappearance of the main enforcer of the Family Educational Rights and Privacy Act of 1974 (FERPA) make student data a gold mine or a minefield?
Quick Hits
FERPA is a federal law that sets out a number of requirements educational institutions that receive federal funding must meet for the protection of student educational records.
A recent Executive Order diminishes the federal government’s power to enforce FERPA, heightening concerns that EdTech vendors could use student education data in prohibited ways.
However, vendors would do so at their own risk, as the legal landscape surrounding student education records requires compliance with more than just FERPA.
What Is FERPA?
FERPA requires educational institutions that receive federal funding to protect student educational records. FERPA applies to all public and private K-12 schools, as well as post-secondary educational institutions, that receive federal funding. Specifically, FERPA requires such educational institutions to: (i) obtain consent prior to releasing education records, (ii) permit parents and eligible students to access and correct their records, (iii) provide annual notice of rights, (iv) maintain reasonable measures to keep education records secure, and more.
While FERPA does not apply directly to EdTech companies, vendors are typically required by their contracts with individual educational institutions to comply fully with FERPA’s obligations and restrictions. FERPA does not contain a private right of action. Instead, aggrieved parents and eligible students can file complaints with the U.S. Department of Education, which investigates and enforces alleged violations. If the Department finds a FERPA violation, the relevant educational institution can be disciplined, up to and including the loss of federal funding.
A Student Data Gold Mine …
The Department has long been criticized for failing to adequately enforce FERPA. As of 2025, the Department has never imposed a financial penalty on an institution for violating FERPA, instead working with violators to achieve voluntary, monitored compliance. Many have expressed concerns that abolishing or substantially changing the structure of the Department could further erode the likelihood of strong FERPA enforcement at the federal level.
The prospect of a “Wild West” environment in the absence of the Department of Education may have schools and EdTech vendors salivating at the prospect of buying, selling, sharing, using, or otherwise processing the data of the millions of students (and former students) in the United States. Student data is a treasure trove. According to a report issued by the International Trade Administration in 2020, the EdTech market was estimated to be worth $89.49 billion, and it is projected to grow at a compound annual growth rate of 19.9 percent until 2028.
A FERPA exception already permits school officials to disclose education records to EdTech vendors if the vendor has a legitimate educational interest, the vendor is subject to the school’s supervision, and the school contractually prohibits the vendor from further disclosure. However, a federal enforcement vacuum may encourage such vendors to think they can ignore the FERPA obligations to which they have agreed when processing student data. It may also encourage third parties, contractors, consultants, and other organizations that do not fit within this exception to think they can bypass FERPA entirely.
… or a Regulatory Minefield?
Despite the potential decrease in enforcement at the federal level, (1) the existence of other FERPA regulators, (2) bipartisan interest in reform, and (3) uncertainty regarding the extent of the Department’s closure cut against any argument that FERPA compliance will be less important in the coming days.
First, FERPA does not preempt state or local laws. The Executive Order even emphasizes returning “authority over education to the States and local communities.” Nearly all states have enacted at least one state-level student privacy law that supplements FERPA with additional privacy safeguards. These will persist regardless of what happens federally. In California, for example, the Student Online Personal Information Protection Act prohibits the use of student data for targeted advertising. Many states, like Illinois, have transposed FERPA into state statutes. Other states, like Virginia, incorporate FERPA by reference, essentially making compliance a state requirement as well as a federal requirement. Keeping aware of state-level obligations is of paramount importance for both educational institutions and EdTech providers, especially because in some states, like Wyoming, civil actions for damages may be permitted under public records laws if parents or students are knowingly or intentionally denied the right to inspect public school records.
Moreover, there appears to be a strong bipartisan interest in FERPA reform, with commentators associated with the current administration indicating that they support amending FERPA to facilitate enforcement in the Department’s absence. These commentators have taken the position that “[r]ather than preserving a failing federal system, a potential reorganization of the Department of Education presents a critical opportunity to … protect student data[.]” Some interested parties have proposed a private right of action for FERPA violations, while others want to explore other avenues to fill in regulatory gaps in student privacy, including by transferring many of the Department of Education’s responsibilities to other agencies.
Finally, the true extent to which the Department will be shuttered remains to be seen, as full closure may require an act of Congress. And, it is vital to remember that FERPA is a federal law, not a Department of Education regulation. Therefore, even if the Department were to close entirely, that would not make FERPA liability vanish forever. FERPA would remain in effect, and a future administration may reinitiate enforcement.
Next Steps
Despite the potential closure of the Department of Education, schools and EdTech vendors that ignore FERPA’s obligations regarding student data nevertheless face a number of continued risks. The Department has traditionally pursued only patterns of noncompliance and egregious violations, and ignoring FERPA over the next three and a half years could be construed as just that. Moreover, for EdTech vendors, FERPA noncompliance could give rise to breach of contract claims, while enforcement by other regulators may cause the school with which the EdTech vendor is working to lose funding—and, by extension, risk the vendor missing payday. Businesses operating in the education space may want to remain mindful of the full breadth of their obligations and act accordingly, even as changes take place within the federal education (and EdTech) landscape.
CONFIDENTIAL?: AmEx Compels Individual TCPA Suit to Arbitration And I am Intrigued
Arbitration provisions can by a TCPA defendant’s best friend, but usually that’s to avoid class litigation.
While a TCPA suit can–and very often is–be filed as a class action in court such cases are not permitted under most arbitration provisions. That means if a defendant can successfully compel arbitration it may take a billion dollar exposure case and take it down to $500.00. Not a bad day in court.
But there are other reasons to seek arbitration where available, even in an individual suit as AmEx just demonstrated.
In Adler v. American Express Co., 2025 WL 904462 (N.D. Oh. March 25, 2025) AmEx compelled an individual TCPA claim to arbitration.
The background facts here are interesting. Plaintiff claims AmEx was mistakenly calling him repeatedly–say, 15 times a month– for years with prerecorded calls related to a debt he didn’t owe.
If these allegations are true Plaintiff seemingly has a six figure case against AmEx ($500.00 is the MINIMUM liability for such errant robocalls to a cellular phone) but the good news for AmEx is that the suit was brought on an individual basis.
Despite the individual nature of the suit AmEx asked the court to compel arbitration. Plaintiff opposed arguing the calls at issue were not related to HIS account but the Court determined that did not matter– any dispute between the parties had to go to arbitration. And since Plaintiff was a cardholder who had accepted the arbitration provision by using the card he was a party stuck bringing suit in arbitration only.
So this was a fine win by AmEx but only because it will make it harder for everyone to find out what happened in the lawsuit. Everything that happens in federal court is public, but arbitrations are private proceedings. So we may never know what happened with Mr. Adler.
Folks facing TCPA trouble should ALWAYS think about compelling arbitration– and anyone in the lead gen space should be leveraging these provisions as part of every form.
UK Venues Face New Security Requirements Under ‘Martyn’s Law’
Go-To Guide:
The Terrorism (Protection of Premises) Act 2025, also known as “Martyn’s Law,” requires UK venues and events to implement security measures against terrorist attacks.
The Act introduces a tiered approach based on venue capacity.
The Act defines “responsible persons” who must address compliance.
Penalties for non-compliance include fines up to £18 million or 5% of worldwide revenue for some premises.
On 3 April, the Terrorism (Protection of Premises) Act 2025 received Royal Assent. The Act, also known as “Martyn’s Law” in tribute to Martyn Hett, one of the 22 people killed in the 2017 Manchester Arena attack, is intended to improve protective security and organisational preparedness for terrorist attacks at public venues across the UK.
The Act comes at a time when the Government considers the threat level from terrorism in the UK to be “substantial” as well as “less predictable and harder to detect and investigate.”
Pursuant to the Act, those responsible for certain premises and events will now be legally obliged to consider the risk and take reasonably practicable measures to mitigate the impact of a terrorist attack.
Background
The Act’s provisions were developed following engagement with the Martyn’s Law campaign team, expert security partners, businesses, and local authorities, as well as via learnings from the Manchester Arena Inquiry (a statutory public inquiry to investigate the deaths of the victims of the 2017 Manchester Arena attack) and the London Bridge Inquest (an inquest into the 2017 terror attack at London Bridge and Borough Market), which both recommended introducing legislation to protect the public and clarify venue owners’ duties regarding protective security.
The Act also forms part of the Government’s broader counter-terrorism strategy (CONTEST) 2023. At a time when the nature and threat of a terrorist attack is complex and unpredictable, the Government is aiming to enhance the UK’s readiness and protection by ensuring a wide a range of premises and events are legally obliged to be better equipped and ready to respond to a terrorist attack.
Key Provisions
Those responsible for certain premises or events will now be required to implement reasonably practicable public protection procedures and/or measures, depending on the capacity of the premises or event.
Tiered Approach
The Act establishes a tiered approach, linked to the number of individuals reasonably expected to be present on the premises at the same time. Smaller premises (200-799 individuals) fall within the standard tier and will be required to put in place simple procedures to reduce the risk of physical harm to individuals who may be present. Larger premises and events (800 individuals plus) fall within the enhanced tier, with additional procedural requirements in recognition of the potentially higher impact of a successful terrorist attack.
Types of Premises & Events
Premises include a building, part of a building, a group of buildings, or a building and other land – for example, a hotel plus its grounds where the same are used for dining or events.
Premises must be wholly or mainly used for one or more specified use(s), including shops, bars, pubs, restaurants, hotels, healthcare, education and childcare facilities, entertainment venues such as nightclubs, theatres and cinemas, halls, leisure, sports grounds, libraries, museums, galleries, transport stations, visitor attractions, and places of worship.
Events reasonably expected to have 800-plus individuals in attendance at the same time are also captured and subject to enhanced tier requirements so long as the event is publicly accessible and meets the “express permission” criteria (employees or individuals checking conditions of entry to the event are satisfied by attendees).
Standard v Enhanced Tier Requirements
Persons responsible for standard tier premises (or “standard duty premises”) will be required to implement appropriate and reasonably practicable public protection procedures for staff to follow in the event of a terrorist attack at the premises or in the immediate vicinity, including procedures to (i) provide information to individuals on the premises and (ii) evacuate, invacuate, or lockdown the premises. For these smaller venues there is no expectation to incur costly or implement physical measures.
Enhanced tier premises (or “enhanced duty premises”) will also be required to comply with the requirements above, but appropriate and reasonably practicable public protection procedures must also be documented and provided to the regulator (see below), including procedures that may be expected to reduce the vulnerability of the premises or event to an act of terrorism. This might include the monitoring of premises and their immediate vicinity, controlling the movement of individuals into, out of, and within the premises or event, and physical safety and security. It also includes measures relating to the security of information which may reveal vulnerabilities and assist in the planning, preparation, or execution of acts of terrorism, particularly what is appropriate to share, where, and with whom.
The requirement for procedures to be “reasonably practicable” allows those responsible persons to factor in the nature of the qualifying premises or event, encouraging a tailored approach whilst complying with the Act’s requirements.
Who Is the ‘Responsible Person’?
The responsible person must ensure the legislative requirements are met.
For a qualifying premises, the responsible person is the person who has control of the premises in connection with its use. Where premises are let, this would typically be the tenant. However, if qualifying premises form part of other qualifying premises, for example a department store within a shopping centre, then both the tenant and the property owner would each be responsible persons. In this case, the property owner and tenant would be required, so far as is reasonably practicable, to coordinate to enhance individual and cumulative compliance.
For a qualifying event, the responsible person is the person who has control of the premises at which the event is taking place in connection with its use for that event. For example, if a hotel hosted a public event in its grounds and maintained control of the premises for the purposes of that event, the hotel is the responsible person irrespective of the involvement of any contracting organisations. Responsibility cannot be delegated to contracted services.
For enhanced tier premises or an event, the responsible person is required to appoint a designated senior individual (DSI), i.e., someone with high-level management responsibility such as a director or partner, with responsibility for meeting the relevant requirements.
The responsible person will also be required to notify the regulator when they become and cease to be responsible for the premises (regulations will set out further details of timings and exactly what information must be provided).
Where the responsible person is the tenant, the requirement to comply with the Act is caught by the tenant obligation in most market standard leases where a tenant is typically required to comply with all laws relating to the premises and the occupation and use of the same by the tenant. Where the responsible person is the landlord, for example with a shopping centre, then a landlord may be obliged to meet its obligations via the provision of services.
Co-Operation
There is a requirement for persons with control over enhanced tier premises or events but not being the responsible person (for example, the freeholder where premises are let) to co-operate so far as reasonably practicable with the responsible person to facilitate the responsible person’s compliance with the Act.
The Government gives examples in its additional guidance where a freeholder as landlord would be obliged to consider the above to a reasonably practicable level. One example is when receiving requests from the responsible person to carry out alterations pursuant to the terms of its lease to meet their legal obligations. Where tenant alterations require landlord’s consent not to be unreasonably withheld or delayed, this would simply be part of the landlord’s decision-making process. Another example is where the responsible person has identified certain mitigations required to meet their legal obligations but the lease may state that landlord’s permission is required and the landlord should contribute a certain percentage of costs to ensure premises remain fit for purpose. The freeholder as landlord would be obliged to consider such requests from the tenant to a reasonably practicable level.
Enforcement & Sanctions
To support the Act’s enforcement, the regulator function will be delivered as a new function of the Security Industry Authority (SIA).
The SIA will have inspection and information-gathering powers and will be able to issue a range of civil sanctions, including compliance notices and restriction notices for non-compliance resulting in the temporary closure of enhanced tier premises or prohibiting an event from taking place.
The SIA can issue monetary penalties up to a maximum of £10,000 for standard tier premises and £18 million or 5% of worldwide revenue for enhanced tier premises or events. Daily penalties (up to £500 per day for standard tier premises and £50,000 per day for enhanced tier premises or events) may also be imposed where non-compliance continues.
It will be a criminal offence to fail to comply with an information, compliance, or restriction notice, provide false or misleading information, or obstruct the SIA. Further, the offender might be liable to imprisonment and/or a fine.
For enhanced tier premises, senior officers (including the DSI) may be liable to prosecution if the responsible person commits an offence, and it is proven that the offence was committed with their consent or connivance.
Next Steps
The Act received Royal Assent on 3 April; however, its provisions have not yet come into effect and will only require compliance once activated through regulations. Implementation is expected to take approximately two years, allowing time for the SIA to establish itself, for the Home Office and the SIA to develop guidance, and for those responsible for qualifying premises and events to familiarise themselves with their new obligations. Conclusion
The Act delivers on the Government’s manifesto commitment to “bring in Martyn’s Law to strengthen the security of public events and venues,” ensuring they are better prepared and ready to respond to terrorist attacks.
Whilst many owners and occupiers of premises may have already proactively considered the risk that acts of terrorism pose and have plans and procedures in place, this Act mandates for the first time who exactly is responsible for considering the risk and taking appropriately proportionate protection measures, applying a consistent level of security standards across qualifying events and premises. Both owners and occupiers should monitor the Government’s progress on guidance and regulations related to the Act, using the implementation timeframe as an opportunity to plan and prepare for compliance with the upcoming legislative changes.