Consumer Protection – Page 9

DOJ Issues Guidance, FAQs and Implementation Policy on Bulk Transfers of Sensitive U.S. Personal and Government Data

On April 11, 2025, the U.S. Department of Justice (“DOJ”) issued a compliance guide, FAQs and an Implementation and Enforcement Policy to assist organizations to comply with the DOJ’s final rule implementing Executive Order 14117 (Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The guidance comes just days after certain of the final rule’s provisions became effective on April 8, 2025.
Compliance Guide
The compliance guide identifies best practices for complying with the final rule and offers guidance on defined terms, prohibited and restricted transactions and requirements for building a compliance program. The guide also provide best practices for complying with the final rule’s audit and recordkeeping requirements, which go into effect on October 6, 2025.
FAQs
The FAQs aim to provide further clarity on the DOJ’s final rule. In particular, the FAQs provide general information about the DOJ final rule and address a number of different issues related to the rule, including prohibited, restricted and exempt transactions, compliance requirements and DOJ advisory opinions under the rule. The FAQs reflect feedback and common issues the DOJ addressed through the rulemaking process. The DOJ will update the FAQs as necessary to address additional questions raised by the public.
Implementation and Enforcement Policy
Under the new Implementation and Enforcement Policy, the DOJ recognizes that companies may need to take steps to determine whether the final rule applies to their activities and to create new or update existing policies and other compliance processes. While certain of the rule’s provisions became effective on April 8, 2025, the DOJ will not prioritize civil enforcement actions against any person for violations of the rule that occur from April 8 through July 8, 2025, provided the person is taking measures to comply with the rule during that time.

Cyber Risks: Is Your Business Exposed?

In today’s interconnected digital landscape, cybersecurity has emerged as a critical concern for businesses across all sectors. The increasing frequency and sophistication of cyber threats necessitates a comprehensive understanding of both legal and financial implications associated with cyber risks. This article delves into the essential legal and financial terms related to cybersecurity to highlight their significance and provide insights into best practices for mitigating risk.
Defining ‘Cyber Risk’
Cyber risk refers to the potential for financial loss, disruption, or damage to an organization’s reputation due to failures in its information technology systems. These risks can arise from various sources, including cyberattacks, data breaches, system failures, or unauthorized access to sensitive information. Understanding cyber risk involves assessing both the impact a cyber incident can cause and the probability of such an incident occurring.
Sean Griffin, partner at Longman & Van Glack, underscores the legal liabilities of data breaches, explaining that failure to implement proper cybersecurity controls could expose companies to litigation and government enforcement actions.
The Role of Risk Management
Effective risk management is crucial in identifying, assessing, and mitigating cyber risks. Organizations typically adopt one or more of the following strategies:

Risk Acceptance: Acknowledging the risk and choosing to accept it without implementing additional controls, often because the cost of mitigation exceeds the potential loss.
Risk Avoidance: Eliminating activities that introduce risk, thereby avoiding the potential threat altogether.
Risk Mitigation: Implementing measures to reduce the likelihood or impact of a cyber incident, such as deploying security technologies or enhancing employee training.
Risk Transfer: Shifting the financial consequences of a risk to a third party, typically through purchasing cyber insurance policies.

Legal Frameworks and Regulations
Navigating the complex landscape of cybersecurity requires adherence to various legal frameworks and regulations designed to protect data and ensure organizational accountability. The legal framework governing the mitigation and prevention of cyber-risks includes federal and state regulations like the following:
Federal Trade Commission (FTC) Safeguards Rule
The FTC’s Safeguards Rule mandates that financial institutions develop, implement, and maintain comprehensive information security programs to protect customer information. The rule was updated to include more specific requirements, such as designating a qualified individual to oversee cybersecurity compliance, conducting regular risk assessments, and implementing access controls and encryption. Notably, the definition of ‘financial institutions’ has been expanded to encompass a broader range of companies, increasing the scope of entities required to comply.
New York Department of Financial Services (NYDFS) Cybersecurity Regulation
The NYDFS Cybersecurity Regulation (23 NYCRR Part 500) establishes cybersecurity requirements for financial services companies operating in New York. The regulation requires entities to implement a cybersecurity program, adopt a written policy, designate a Chief Information Security Officer (CISO), and comply with various technical controls. Recent amendments have introduced more stringent requirements, such as enhanced governance obligations and expanded definitions of key terms, reflecting the evolving nature of cyber threats.
Securities and Exchange Commission (SEC) Cybersecurity Disclosure Rules
The SEC has implemented rules requiring publicly traded companies to disclose material cybersecurity incidents within four business days of determining their materiality. This mandate emphasizes the importance of transparency and timely communication with investors regarding cyber risks and incidents. The disclosure should include the nature, scope, and potential impact of the incident on the company’s operations and financial condition.
Jonathan Friedland of Much Shelist emphasizes the importance of transparency in cybersecurity. He highlights that businesses must disclose cyber risks and incidents promptly to avoid regulatory scrutiny and loss of trust.
Financial Implications of Cyber Risks
Cyber incidents can have profound financial consequences for businesses, including direct costs such as regulatory fines, legal fees, and remediation expenses, as well as indirect costs like reputational damage and loss of customer trust.
Key financial considerations include:
Cyber Insurance
To mitigate potential financial losses from cyber incidents, organizations often invest in cyber insurance policies. These policies can cover various expenses, including data breach notifications, legal fees, and business interruption losses. However, it’s essential for organizations to thoroughly understand the terms, coverage limits, and exclusions of their policies to ensure adequate protection.
Regulatory Fines and Penalties
Non-compliance with cybersecurity regulations can result in substantial fines and penalties. For instance, under the updated FTC Safeguards Rule, financial institutions that fail to implement required security measures may face enforcement actions. Similarly, the NYDFS Cybersecurity Regulation imposes penalties on entities that do not adhere to its stringent requirements.
Best Practices for Cybersecurity
To strengthen cybersecurity defenses, organizations should adopt the following best practices:

Implement a Robust Incident Response Plan: The term, ‘Incident Response Plan’ (IRP), refers to a documented strategy outlining the procedures an organization will follow in the event of a cybersecurity incident. It typically includes steps for detection, containment, eradication, recovery, and post-incident analysis to mitigate damage and prevent future occurrences. Alex Sharpe of Sharpe Consulting suggests continuous monitoring and real-time threat detection rather than a solely reactive approach to cyber incidents.
Conduct Regular Security Audits and Risk Assessments: Identifying vulnerabilities proactively helps in mitigating potential threats before they are exploited.
Enhance Employee Training and Awareness Programs: Employees are the first line of defense against cyber threats; regular training can reduce human error and increase vigilance.
Encrypt Sensitive Data: Data encryption can protect critical information even if it is intercepted or stolen.
Utilize Multi-Factor Authentication (MFA): Enforcing MFA across all systems can significantly reduce the risk of unauthorized access.
Monitor and Respond to Threat Intelligence: Keeping up-to-date with emerging threats and attack trends allows organizations to adjust their defenses accordingly.

Conclusion
As cyber threats continue to evolve, businesses must remain vigilant in safeguarding their digital assets. Implementing proactive security measures, adhering to regulatory requirements, and fostering a culture of cybersecurity awareness are crucial for mitigating risk.
Cybersecurity is not merely an IT issue but a fundamental business imperative that impacts legal, financial, and operational stability. By staying informed, leveraging best practices, and continuously updating security protocols, organizations can enhance their resilience against cyber threats and protect their most valuable assets — data, reputation, and customer trust.

To learn more about this topic, view Corporate Risk Management / Cyber Risks: Every Business is Exposed Whether You Know it or Not. The quoted remarks referenced in this article were made either during this webinar or shortly thereafter during post-webinar interviews with the panelists. Readers may also be interested to read other articles about cybersecurity.
This article was originally published here.
©2025. DailyDACTM, LLC d/b/a/ Financial PoiseTM. This article is subject to the disclaimers found here.

CONSENT DOESN’T HELP: Travel and Leisure Co. Stuck in TCPA Class Action As Court Refuses to Credit Consent at the Pleadings Stage

Nothing more frustrating for a TCPA defendant than to be stuck in a class action when the named plaintiff provided consent to be contacted in the first place.
However the rules of litigation often prevent that issue from being addressed until much later in the case–sometimes even after expensive class discovery– which is why so many TCPA plaintiffs file frivolous lawsuits and manage to extract a high-dollar settlement.
Take the case of Hodge v. Tavel + Leisure Co., 2025 WL 1093243 (N.D. Cal. April 11, 2025). There the Defendant moved to dismiss arguing the Plaintiff had consented to receive the calls at issue. But the Court was unimpressed noting it would only credit the allegations of the complaint at this stage:
Hodge therefore had no obligation to negate Defendant’s claim of express consent through her allegations, and the Court can only dismiss Hodge’s TCPA claim on the consent defense if the “allegations in the complaint suffice to establish” consent. Sams v. Yahoo! Inc., 713 F.3d 1175, 1179 (9th Cir. 2013) (quoting Jones v. Bock, 549 U.S. 199, 215 (2007)). Nothing in the SAC, when construed in Hodge’s favor, shows that she consented to artificial or prerecorded messages.
Get it?
Even though the defendant might have a complete defense it is simply too early in the case for the Court to throw out the class action. As a result the defendant must litigate and deal with discovery demands– all of which gives Plaintiff’s counsel the opportunity to extort… er.. extract a high dollar resolution.
There are some tricks to get past the pleadings stage limitation on extrinsic consent evidence–Troutman Amin, LLP has earned great pleadings stage wins for example– but anytime there is a dispute of fact on consent you are DEFINITELY not going to win at the pleadings stage, and maybe not even at the MSJ stage. So be careful.
At the end of the day making outbound prerecorded or artificial voice calls (including voicemails) carries substantial risk. Make sure you know the rules of the game before playing!

FCC Grants Narrow One Year Effective Date Extension of TCPA Consent Revocation Requirement

Readers may recall that in February 2024, the FCC adopted a Report and Order imposing a number of new TCPA caller and texter compliance obligations in connection with consumer revocation requests, which are applicable to calls and text messages that otherwise require consent under the TCPA and the FCC’s rules. Those rules are slated to go into effect on April 11, 2025.
The FCC, however, has now issued a narrow, limited waiver of one aspect of those rules in the new Section 64.1200(a)(10) of its rules, extending the effective date of that section until April 11, 2026, to the extent the new rule requires callers and texters “to treat a request to revoke consent made by a called party in response to one type of message as applicable to all future robocalls and robotexts from that caller on unrelated matters.” The waiver was granted in response to requests from several associations of banks and financial institutions, supported by a healthcare industry vendor, stating that additional time is needed to ensure that entities can accurately apply revocation requests sent in response to one business unit’s calls or messages to future communications from its other business units.
Note that the waiver order emphasized that the one-year extension applies “only to section 64.1200(a)(10) to the extent discussed” in the order, and that it was only “delay[ing] the effective date of any such requirement” in the rule to treat an opt out from one messaging program of a caller as an opt out of all other messaging programs requiring consent. Thus, other aspects of the new rule appear unaffected by the waiver order, and are slated to go into effect on April 11, 2025 as previously announced.
These include, that callers and senders, as applicable: (i) must honor revocation requests made using an automated, interactive voice or key press-activated opt-out mechanism on a call; (ii) must honor revocation requests through seven specific texted back keywords (stop, quit, end, revoke, opt out, cancel, and unsubscribe); (iii) must treat other natural language text-backs by consumers as a valid revocation request if “a reasonable person” would understand those words to have conveyed a request to revoke consent; (iv) must honor revocation requests in a reasonable period of time, not to exceed 10 day; and (iv) may not designate an exclusive means to request revocation of consent.
Note too, that the February 2024 revocation mandate Report and Order included a wide range of revocation and consent issues not covered in the waiver order, as well as adopting additional rule sections. All of these likewise remain unaffected by the waiver order, which you can read about in our earlier our previous blog post here.

CFPB Drops Lawsuit Against Money Transmitter

On April 8, a federal court granted the CFPB’s motion to withdraw from its joint enforcement action against a global money transmitter. The lawsuit, originally filed in April 2022 in partnership with the New York Attorney General, alleged violations of the Electronic Fund Transfer Act (EFTA), including the Remittance Rule under its implementing Regulation E.
The complaint detailed a range of statutory and regulatory violations affecting remittance transfers used by consumers to send funds abroad. The core allegations included:

Inaccurate availability disclosures. The company allegedly failed to accurately disclose the date on which funds would be available to recipients.
Deficient error resolution. The company purportedly failed to promptly investigate consumer complaints, issue required fee refunds, or provide mandated explanations and documentation.
Noncompliant internal procedures. Regulators alleged the company lacked adequate written policies to identify covered errors, ensure timely investigations, and retain necessary compliance documentation.
Unfair acts under the CFPA. The Bureau and the New York AG alleged that the company unnecessarily delayed remittance transfers and refunds after completing internal screenings, leaving consumers without timely access to funds.

The lawsuit will now proceed with the New York AG as the sole plaintiff.
Putting It Into Practice: The CFPB’s withdrawal from this case is consistent with a broader trend of reassessing enforcement actions initiated under prior leadership (previously discussed here and here). While the Bureau appears to be narrowing its enforcement focus, state regulators—such as the New York Attorney General—continue to pursue consumer protection matters with vigor (discussed here). Financial services companies should not interpret reduced federal activity as a reprieve.

NYDFS Joins Multistate Action Against Money Transmitter for Financial and Licensing Violations

On March 20, the New York Department of Financial Services (NYDFS) entered into a consent order with a money transmitter, joining a group of state financial regulators acting through a multi-state task force coordinated by the Conference of State Bank Supervisors (CSBS) and the Money Transmitter Regulators Association (MTRA). The regulators alleged that the company violated state money transmission laws by failing to satisfy outstanding transmission liabilities, maintain adequate net worth and permissible investments, and continue licensed operations in a financially sound manner.
New York’s action follows an Interim Consent Order issued on March 21, 2024, after the company disclosed its deteriorating financial condition and inability to meet obligations to consumers. According to the regulators, the company ceased operations and initiated the surrender of its licenses while still owing outstanding transmission liabilities and without sufficient unencumbered assets to make consumers whole.
According to the 2025 consent order, the multi-state investigation identified several violations of state law:

Failure to satisfy transmission liabilities. The company allegedly did not meet its payment obligations as they became due, in violation of applicable money transmission statutes.
Insufficient net worth. In jurisdictions where financial thresholds apply, the company allegedly failed to maintain the net worth required to remain licensed.
Lack of permissible investments. The company allegedly failed to hold sufficient investments to cover its transmission obligations.

As a part of the settlement, the company agreed to permanently cease all money transmission activity and surrender its licenses. It must also pay a $1 million administrative penalty, to be distributed equally among participating states. The payment is stayed for two years and may be waived if the company complies with specified consumer protection provisions, including maintaining its website to direct consumers to file complaints and cooperating with bond claim processes.
Putting It Into Practice: This settlement is another example of state regulators asserting their authority in the absence of federal action, particularly in the money transmission and fintech sectors (previously discussed here and here). Financial institutions should expect multistate enforcement to become more common under the new administration.
Listen to this post

California DFPI Proposes Digital Asset Licensing Rule

On April 4, the California Department of Financial Protection and Innovation (DFPI) issued proposed regulations under the Digital Financial Assets Law (DFAL). The proposal provides clarification on DFAL’s licensing framework and identifies when digital asset activity may qualify for exemptions under California’s Money Transmission Act.
The proposal builds on legislation passed in 2023 and 2024—including Assembly Bill 39, Senate Bill 401, and Assembly Bill 1934—which established the DFAL and later pushed back its implementation deadline. Beginning July 1, 2026, companies engaging in covered digital financial asset business activity with or on behalf of California residents must be licensed by DFPI, have a pending application on file, or qualify for an exemption.
The proposed regulations aim to implement the Digital Financial Assets Law by clarifying licensing procedures, exemptions, and reporting obligations. The rule is intended to enhance transparency, improve oversight, and support the development of a safe, regulated digital asset market in California. Key provisions include:

License application procedures. The proposed regulations detail how covered persons must apply for licensure, including the use of the Nationwide Multistate Licensing System and Registry (NMLS) and required supporting materials.
Surety bond requirements. The proposal explains how licensees must demonstrate compliance with DFAL’s surety bond obligations, including documentation standards.
Material change notifications. Applicants and licensees must notify the DFPI of any changes to application information, including business addresses and control persons.
Kiosk disclosures. Operators of digital financial asset kiosks must report locations and provide updates to the Department as changes occur.
Exemption from MTA Licensure. The rule clarifies that money transmission incidental to digital asset activity does not trigger licensure under California’s Money Transmission Act.

The DFPI has invited written public comment through May 19, 2025, and will hold a hearing if requested by April 30. The Department estimates that compliance with the proposed regulations will cost approximately $8,190.18 in the first full year, with $150 in annual fees thereafter.
Putting It Into Practice: The proposed regulations represent California’s first substantive rulemaking under DFAL and reinforce the state’s intent to become a leader in digital financial asset oversight. The move follows several digital asset regulations enacted by several states (previously discussed here and here). With California now entering the crypto regulatory space, other states are likely to follow.

CFPB Drops Remittance Lawsuit against Money Transfer Provider

FCC Issues One Year Waiver for Consent Revocation Rule

On April 7, the FCC issued an order staying the effective date of a key provision in its Telephone Consumer Protection Act (TCPA) rules. The provision—originally set to take effect on April 11, 2025—would have required that a consumer’s revocation of consent apply broadly to all robocalls and robotexts from a sender, not just the type of message that prompted the opt-out.
The stay follows petitions from banking industry groups, who raised concerns that the rule would force institutions to block important customer communications, such as fraud alerts or low balance warnings, based solely on a consumer opting out of unrelated messages. In response, the FCC agreed that affected senders need additional time to prepare.
The now-delayed rule would have required:

Broad application of revocation. A single opt-out message—such as replying “stop” to a promotional text— would revoke consent for all future robocalls and texts from that sender, including those unrelated to the original message.
Universal treatment of revocation. Senders would be required to apply the opt-out across all communication lines or departments, rather than limiting it to the context in which the revocation occurred.

Companies now have until April 11, 2026 to comply with the global revocation requirement. Other provisions from the 2024 TCPA Consent Order—such as honoring standard opt-out keywords and processing revocations within ten business days—will still take effect as planned on April 11, 2025.
Putting It Into Practice: The FCC’s decision provides short-term relief for financial institutions and other regulated entities preparing for the rule. This development reflects ongoing efforts by federal regulators to balance consumer protection with operational feasibility (previously discussed here, here, and here). Nonetheless, businesses should continue preparing for full compliance with the global revocation rule by April 2026 and closely monitor any strengthening of consumer protection efforts at the state level (previously discussed here, here, and here).
Listen to this post

Maine Board Approves Motion to Adopt Rule on PFAS in Products; CUU Proposals for Products Prohibited as of January 1, 2026, Are Due June 1, 2025

As reported in our April 1, 2025, blog item, the Maine Board of Environmental Protection (MBEP) was scheduled to consider the Maine Department of Environmental Protection’s (MDEP) December 2024 proposed rule regarding products containing per- and polyfluoroalkyl substances (PFAS) during its April 7, 2025, meeting. As reported in our December 31, 2024, memorandum, on December 20, 2024, MDEP published a proposed rule that would establish criteria for currently unavoidable uses (CUU) of intentionally added PFAS in products and implement sales prohibitions and notification requirements for products containing intentionally added PFAS but determined to be a CUU. During the April 7, 2025, meeting, MBEP unanimously approved a motion to adopt the Chapter 90 rule, the Chapter 90 basis statement, and MDEP’s response to comments “as presented and with correction of minor typographical errors, and the addition of ‘Maine Department of Transportation’ at section 4(A)(8),” according to MBEP’s draft meeting minutes. Two MBEP members were absent.
Under the approved rule, CUU requests for products scheduled to be prohibited January 1, 2026, are due June 1, 2025. The products containing intentionally added PFAS that are scheduled to be prohibited include:

Cleaning products;
Cookware;
Cosmetics;
Dental floss;
Juvenile products;
Menstruation products;
Textile articles. The prohibition does not include:

Outdoor apparel for severe wet conditions; or

A textile article that is included in or a component part of a watercraft, aircraft or motor vehicle, including an off-highway vehicle;

Ski wax; or
Upholstered furniture.

The January 1, 2026, prohibition applies to any of the products listed that do not contain intentionally added PFAS but that are sold, offered for sale, or distributed for sale in a fluorinated container or container that otherwise contains intentionally added PFAS.
Proposals for CUU determinations may be submitted by manufacturers individually or collectively. Under the rule, a separate proposal must be submitted for each individual combination of product category and the associated industrial sector. Proposals must include details of any sales prohibition to which the product is subject because of the intentionally added PFAS. As of January 1, 2025, Minnesota prohibited intentionally added PFAS in an almost identical list of products, with the exception of textile articles (Minnesota has banned textile furnishings containing intentionally added PFAS). A CUU proposal in Maine is still possible, but submitters will need to explain how products available in compliance with Minnesota’s prohibition are not reasonably available alternatives in Maine.

DEFAULT DEFEAT: TCPA Defendant Faces Class Discovery After Failing to Defend Itself in TCPA Class Action

Quick one for you this am.
In Ashworth v. Off Leads K9 Training Central Florida 2025 WL 1083621 (M.D. Fl. March 24, 2025) a court ordered class discovery to be taken against a defendant that had failed to show up in a TCPA class action.
Plaintiff asked the court to take discovery in this matter to identify members of the putative class and to determine the amount of damages to which the class members are entitled, prior to seeking class certification and moving for default judgment.
The Court found the request to be well taken and granted the request, giving the Plaintiff 90 days to conduct discovery and then seek a class judgment.
Eesh.
Failing to show up in response to a TCPA class action is a very dangerous strategy. Will be interesting to see how many class members exist here and what the default judgment will ultimately look like.
More soon.

TODAY IS THE DAY: New TCPA Revocation Rule Goes Into Effect– This is What YOU Need to Know Right Now

Well the FCC had their chance to stay or trash the entire rule and they elected not to. So that means businesses all across the country need to comply with new TCPA revocation requirements effective RIGHT NOW.
The new revocation rules require the following:
So here are the key points of the new ruling:

FCC makes “clear that consumers may revoke prior express consent for autodialed or prerecorded or artificial voice calls and autodialed texts in any reasonable manner that clearly expresses a desire not to receive further calls or text messages, and that callers may not infringe on that right by designating an exclusive means to revoke consent that precludes the use of any other reasonable method.” This appears to be a big big change from existing law that allows businesses to contract for consent that cannot be revoked and otherwise set reasonable revocation method by contract;
FCC determines using the words “stop,” “quit,” “end,” “revoke,” “opt out,” “cancel,” or “unsubscribe” via reply text message constitutes a reasonable means to revoke consent–BUT “this does not preclude, however, the use of other words and phrases to revoke consent.” So… this is useless. Yippee;
FCC requires companies to honor company-specific do-not-call and revocation-of consent requests as soon as practicable and no more than 10 business days after receipt of the request— this is a big GIFT for informational callers, who previously had to honor consent immediately. Cuts down timeframe for telemarketing callers, however, who previously had up to 30 days to comply. MUCH better than the 24 hours that was originally proposed. Notably the FCC credits REACH for arriving at the 10 business day time frame!!! (See fn 42);
FCC rules texters can send one time post-revocation text seeking to clarify scope of revocation–but no response means opted out of everything. Not sure folks who have multiple layers of consent are going to take advantage of this. Especially since the text “must not contain any marketing or advertising content or seek to persuade the recipient to reconsider their opt-out decision.” hmmm

You can read the full ruling here: Draft FCC TCPA Order re Consent Revocation (DOC-400039A1)
The good news is that companies will NOT have to comply with the dreaded scope rules of the new ruling until April 11, 2026.
The STAYED rules require companies to treat a “stop” as a request that the business stop all calls and texts across all channels and for all purposes that require the same level of consent, or less, as the stopped message. So if a consumer texts “stop” to an informational message all informational and marketing would need to end. And if a consumer texts “stop” to an exempted message then ALL messaging from the business would have to end.
These scope rules are INCREDIBLY difficult to comply with and I HIGHLY suggest enterprise start working on these things right now.
But EVERYBODY needs to be complying with the new rules in effect today. The most challenging for many businesses is honoring imperfect or free-form stop requests via SMS. Please keep this in mind folks– the plaintiff’s bar will be all over it! Again, this portion of the rule is in effect today!!