Massachusetts AG Issues New Regulations Targeting Junk Fees
On March 3, Massachusetts Attorney General Andrea Joy Campbell announced new regulations, issued under the Massachusetts Consumer Protection Act, aimed at curbing “junk fees” by requiring businesses to disclose total prices upfront and provide clear information about additional charges. The regulations, set to take effect September 2, 2025, seek to prevent deceptive pricing practices and enhance consumer transparency.
The new regulations impose several requirements on businesses operating in Massachusetts, including:
Total Price Disclosure. Businesses must clearly disclose the full price of a product or service—including all mandatory fees—at the time of advertisement and before collecting consumer information.
Fee Transparency. Any additional charges must be itemized, with details on their nature, purpose, and amount. Businesses must also indicate whether they are optional or waivable, along with instructions on how consumers can avoid them.
Trial Offers. Businesses offering free or discounted trials must clearly disclose any charges a consumer may incur, the specific products or services covered, the deadline for cancellation to avoid charges, and simple, accessible cancellation instructions.
Recurring Charges and Subscriptions. Businesses must provide clear terms for recurring charges, including any price changes after a trial period, offer a user-friendly cancellation process, and issue written notices before renewals specifying renewal dates, costs, and cancellation methods.
To assist businesses in complying with the new regulations, the AG’s Office has released guidance for businesses.
Putting It Into Practice: Massachusetts’ new regulations are continued evidence of state regulators filling in the gap left by the pullback of federal regulators. States like California have already taken steps to regulate deceptive fee practices (previously discussed here), and we are likely to see additional state-level initiatives.
Listen to this post
CFPB Extends Comment Periods for Two Proposed Regulation V Rules
The CFPB is extending the comment periods for two proposed rulemakings under Regulation V, which implements the Fair Credit Reporting Act (FCRA). On March 5, the Bureau extended the comment period for its proposed rule on data brokers and consumer reports. Similarly, on March 7, the CFPB announced an extension for its Advance Notice of Proposed Rulemaking (ANPR) on identity theft and coerced debt.
The CFPB’s proposed rule on data brokers and consumer reports aims to clarify when data brokers qualify as “consumer reporting agencies” under the FCRA (previously discussed here). This rulemaking is intended to enhance consumer privacy protections and limit the use of consumer data without appropriate oversight. The Bureau is seeking feedback on:
Defining consumer reporting agency coverage. The rule would establish clearer criteria for when data brokers meet the definition of a consumer reporting agency, making them subject to FCRA requirements.
Restricting report access. The proposal seeks to regulate when consumer reporting agencies may furnish reports and when users may obtain them, aiming to prevent misuse of consumer information.
Assessing compliance impact. Given the potential expansion of FCRA oversight, affected businesses are encouraged to assess the operational and compliance implications of these changes.
Comments are now due on April 2, 2025.
The CFPB’s proposed rule on identity theft and coerced debt (previously discussed here) seeks to clarify how these issues are defined under Regulation V. The Bureau is particularly focused on ensuring that consumers who have been forced into debt through fraud or abuse are not unfairly burdened in the credit reporting system. Key areas of interest include:
Amending definitions. The CFPB is exploring revisions to the definitions of “identity theft” and “identity theft report” under Regulation V to better capture coerced debt situations.
Consumer reporting implications. The rulemaking seeks input on how coerced debt is reported to consumer reporting agencies and whether additional safeguards are needed.
Stakeholder participation. The extended comment period gives financial institutions, consumer advocates, and industry participants more time to provide input on potential regulatory changes.
Comments on this rule are now due by April 7, 2025.
Putting It Into Practice: The CFPB’s decision to extend both comment periods may provide insight into the new administration’s regulatory priorities, particularly in the consumer reporting space. The extensions suggest that the Bureau is taking a deliberate approach to gathering stakeholder input and is not doing away with rulemaking altogether. It will be interesting to see what Chopra-era rulemaking survives this new CFPB.
Listen to this post
CFPB Drops Two More Major Lawsuits
The CFPB has recently dismissed two more enforcement actions—one against a major credit reporting agency and another against a lease-to-own financing provider. Both lawsuits involved allegations of abusive, unfair, and deceptive acts and practices.
On February 28, the CFPB dismissed its lawsuit against a major credit reporting agency. The lawsuit, initially filed over alleged violations of a 2017 consent order, accused the company of misleading consumers into enrolling in paid credit monitoring services and making it difficult for them to cancel. The CFPB’s allegations included:
Deceptive marketing practices that lured consumers into paid services under the guise of offering free credit scores.
Violations of a 2017 consent order requiring the company to reform its marketing and billing practices.
Unauthorized charges for subscription-based services without proper consent, violating the Electronic Fund Transfer Act and Regulation E.
Obstructing consumer attempts to cancel subscriptions, leading to prolonged and unauthorized billing.
On March 7, the CFPB dismissed its lawsuit against a lease-to-own financing provider and related entities following a settlement agreement. The provider had filed a countersuit (previously discussed here) against the CFPB, arguing that the agency lacked jurisdiction over lease-to-own transactions, which it claimed were governed by state regulations rather than federal consumer credit laws.
The original lawsuit, filed in July 2024, alleged that the company engaged in deceptive practices that misled consumers about the cost and nature of its financing agreements. Specifically, the CFPB claimed the company:
Misrepresented its product as credit when it was actually a lease, leading to unexpected financial burdens for consumers.
Obscured key terms in agreements, making it difficult for consumers to understand the total cost of financing.
Created barriers to contract termination, locking consumers into long-term commitments.
Automatically withdrew funds from consumers’ accounts without clear disclosures.
Reported inaccurate credit data, potentially harming consumer credit scores.
Following the dismissal, the lease-to-own provider withdrew its countersuit against the CFPB.
Putting It Into Practice: The CFPB’s dismissal of these two lawsuits suggests a broader trend of scaling back certain enforcement actions initiated under prior leadership (previously discussed here). This could indicate a shift toward a more selective regulatory approach, particularly in areas where jurisdictional disputes exist.
Listen to this post
SEC Clarifies Stance: Most Meme Coins Not Subject to Securities Regulation
Most meme coins are not securities, and their offer and sale will not need to be registered or require an exemption from registration, SEC staff said in a clarifying statement on Feb. 27, 2025.
Meme coins are generally collectible digital assets with little or no user functionality. These coins are often purchased and traded for entertainment and often relate to current events and popular culture. Although the staff said it will not regulate meme coins nor combat fraud related to meme coin transactions, the statement stressed that market participants must still evaluate the economic realities of all meme coins in transactions on a continuing basis to determine if these assets are securities.
Although individual meme coins may have unique features, meme coins the SEC is unlikely to regulate may have some or all of the following common features, according to the statement:
the coins will be purchased for entertainment, social interaction, and cultural purposes;
market demand and speculation primarily drive meme coin value, similar to collectibles;
meme coins typically have limited or no use or functionality;
given their speculative nature, meme coins tend to experience significant market price volatility;
statements regarding their risks and lack of utility – other than for entertainment or other non-functional purposes – often accompany meme coins.
The SEC staff analyzed the features of a typical meme coin under the Howey test – the SEC’s fundamental framework for whether a crypto asset is an investment contract. The Howey test determines if certain arrangements or instruments are investment contracts based on their “economic realities.”
The statement included the following elements and conclusions with respect to the Howey test:
A meme coin purchaser will generally not be making an investment in an enterprise. That is, promoters do not pool their funds are together for developing the coin or a related enterprise.
Second, any expectation of profits that meme coin purchasers have is not derived from the efforts of others, but rather from speculative trading, like a collectible such as a baseball card.
Finally, the promoters of meme coin projects are not likely undertaking managerial and entrepreneurial efforts from which purchasers could reasonably expect profit.
The staff statement further cautions meme coin purchasers and holders that given the SEC will not retain oversight of the meme product, market participants will not be protected from deceptive activities under federal securities laws. By extension, private parties will not have a cause of action for misconduct or fraud under federal securities laws. Notwithstanding the pronouncement, merely labeling a product as a meme coin solely to disguise a security, the statement warns, is an attempt to evade the application of federal securities laws and subject to SEC enforcement.
Who will oversee market activity on behalf of consumers and speculators in meme coins is now an open question, although the staff expressed that fraudulent conduct may be subject to enforcement action or prosecution by other agencies under other federal and state laws.
The Commodities Futures Trading Commission (CFTC) has enforcement authority over manipulation and fraud in the spot commodities markets. It remains to be seen if the CFTC will assert that meme coins, generally fungible, are captured in the definition of a commodity and therefore within its supervision.
The release on meme coins is the first substantive shaping of the SEC’s digital asset policy since the January formation of the new Crypto Task Force, led by Commissioner Hester Peirce.
New “Self-Correction” Option for Voluntary Fiduciary Correction Starts March 17, 2025
Starting March 17, 2025, the Employee Benefits Security Administration’s Voluntary Fiduciary Correction Program (“VFCP”) will have a “self-correction” option. Although the new option eliminates the need to wait for formal approval of a correction submission, participating fiduciaries will still need to satisfy a notice requirement and submit information to the Department of Labor. The applicable guidance is available here.
What is the VFCP?
The Department of Labor’s Employee Benefits Security Administration (“EBSA,” previously known as the Pension and Welfare Benefits Administration) established VFCP to encourage fiduciaries of employee benefit plans to self-report and correct specified breaches of fiduciary responsibility and prohibited transactions. EBSA encourages the use of the program to correct late contributions and loan repayments to a plan.
Under VFCP, EBSA waives civil penalties for specified transactions and, if certain conditions are satisfied, provides prohibited transaction relief.
What Transactions Qualify for Self-Correction?
Self-correction is available for two types of transactions that would otherwise be prohibited, each of which is described below:
Late Participant Contributions and Loan Repayments
Eligible Inadvertent Participant Loan Failures
Late Participant Contributions and Loan Repayments
Under EBSA guidance, participant contributions and loan repayments are considered plan assets as soon as they can reasonably be segregated from the employer’s general assets. For example, if an employer’s process for withholding amounts from participants’ pay, reconciling files, and sending the money to the trust normally takes 5 days, EBSA treats the amounts withheld as plan assets after 5 days. Consequently, a hiccup that results in a delay relative to the normal 5 days would result in the employer holding plan assets, which EBSA treats as a prohibited extension of credit between the plan and the employer—triggering a self-reported excise tax and potential civil penalties.
By participating in VFCP, fiduciaries can avoid civil penalties and, if the applicable amounts are contributed to the plan’s trust within 180 days after withholding (and all other requirements are satisfied), get relief from the excise tax. Starting March 17, 2025, the relief provided by VFCP is available through self-correction if the following requirements are satisfied:
Neither the employer nor the plan may be “under investigation” (as defined by the VFCP);
The applicable amounts must be remitted to the plan’s trust, with lost earnings (as described below), within 180 calendar days after the date of withholding from the participant’s paycheck (or, if applicable, receipt of the loan repayment) (the “Loss Date”);
Lost earnings are determined in the same manner as under VFCP, except that they must be measured from the Loss Date rather than the date the amount should have been contributed to the trust, and the amount of lost earnings must not exceed $1,000;
The plan sponsor or another plan official must send a notice to EBSA through an electronic tool on EBSA’s website;
The employer (or another responsible party) must send to the plan’s administrator records related to the correction, including a “Retention Record Checklist” that confirms the correction has been completed, documentation of the breach and its correction, and a signed statement, under penalties of perjury, confirming that the signer is not under investigation and the accuracy of the checklist; and
The employer must pay all penalties, late fees, and other charges (if any) out of the employer’s assets (and not, for example, out of plan assets).
2. Eligible Inadvertent Participant Loan Failures
A participant loan failure is a violation of the requirements under EBSA’s prohibited transaction exemption (29 C.F.R. § 2550.408b-1) for a loan from a plan to a participant or beneficiary. The following violations are eligible for self-correction:
Failing to comply with plan terms incorporating Internal Revenue Code requirements regarding the amount, duration, or amortization of plan loans;
Defaulting a loan because an employer failed to withhold loan payments from a participant’s wages;
Failing to obtain spousal consent when required; and
Exceeding the plan’s permitted number of loans.
To complete the self-correction, plan officials must first correct the participant loan failure under the IRS’s Employee Plans Compliance Resolution System and then submit a self-correction notice to EBSA via its web tool. The notice to EBSA must include, among other things, the type of loan failure, the loan amount, the number of people affected, the dates of the error and correction, and the correction method. Plan officials must also provide the plan administrator with documents related to the error and correction and a signed certification of accuracy that is subject to penalties of perjury.
Excise Tax Relief
Prohibited Transaction Exemption 2002-51 has been amended to provide excise tax relief for transactions corrected under the self-correction program. To be eligible for the excise tax relief, however, self-correctors must pay the amount of the excise tax directly to the plan. This leaves the plan sponsor with the following options for the excise tax:
Complete a full VFCP application and seek relief from the excise tax, subject to satisfying additional requirements, including a notice to impacted individuals;
Complete self-correction under VFCP and pay the full amount of the excise tax to the plan; or
File Form 5330 with the IRS and pay the full amount of the excise tax to the IRS. If this option is followed, EBSA would retain the right to assess a civil penalty of up to 5% of the amount involved.
Other Notable Updates to the VFCP
In addition to introducing self-correction, EBSA has made other improvements to VFCP, including:
Expanded correction options for prohibited loan transactions and prohibited purchase and sale transactions;
Extending relief from transactions involving a prohibited sale and leaseback of real estate to covers eligible transactions with affiliates of the plan sponsor; and
Allowing VFCP applications to address violations across more than one plan in a single submission.
Proskauer Perspective
The self-correction program should streamline the EBSA-approved process for correcting common errors. At the same time, however, the requirements for self-correction are not trivial, and EBSA reserves the right to scrutinize the submission and corrective action.
Plan sponsors and fiduciaries should discuss with counsel practical solutions for any violation.
OCC Clarifies Banks’ Role in Cryptocurrency Activities
On March 7, the OCC issued Interpretive Letter 1183 and an accompanying statement affirming prior guidance regarding whether national banks and federal savings associations may engage in cryptocurrency-related activities, including (i) providing custody services for depositors’ crypto assets, (ii) holding stablecoin “reserves,” (iii) facilitating stablecoin payments, and (iv) performing payment verification activities on blockchain networks. Importantly, the letter also rescinded the OCC’s Interpretive Letter 1179, which required banks to obtain written supervisory non-objection before engaging in these cryptocurrency activities.
What This Means for Banks
Specifically, banks are authorized to:
Offer Crypto-Asset Custody Services: Banks are authorized to hold unique cryptographic keys associated with customers’ cryptocurrency wallets, allowing them to hold cryptocurrency products on depositors’ behalf.
Maintain Stablecoin “Reserves”: Generally, stablecoins are a type of cryptocurrency designed to maintain a stable value. Their value is often pegged to fiat currencies, such as the U.S. dollar. Issuers of stablecoins may desire to place assets in a reserve account with a bank to provide assurance that the issuer has sufficient assets backing the stablecoin (usually on a 1:1 basis). Banks may now hold stablecoin reserves on behalf of stablecoin issuers.
Verify Blockchain-Based Payments: Banks are authorized to participate in blockchain networks by validating, storing, and recording on-chain transactions as a form of payment processing, which includes facilitating stablecoin transactions. The OCC has stated that it views blockchain-based payment facilitation as an evolution of traditional banking functions.
The OCC also clarified that while national banks and federal savings associations may engage in these activities, they must align with sound risk management practices and ensure compliance with applicable laws, including making sure they have adequate capital and liquidity to support crypto-related operations.
Putting It Into Practice: The OCC’s statement offers insight into the new administration’s perspective on banks’ roles in the rapidly evolving crypto ecosystem and coincides with other federal regulators, including the Securities and Exchange Commission, shifting their crypto-related priorities (previously discussed here). By eliminating the requirement for supervisory non-objection, the OCC signals a shift in its regulatory approach, aiming to reduce barriers for banks exploring crypto-related services. As the regulatory landscape evolves, financial institutions should closely monitor further guidance from the OCC and other federal agencies to adapt their crypto compliance strategies accordingly.
Listen to this post
DFPI Finalizes Debt Collection Licensing Regulations, Effective July 1
On March 4, the California DFPI finalized regulations under the Debt Collection Licensing Act (DCLA). The final regulations, which take effect July 1, 2025, clarify key licensing and reporting requirements.
Under the DLCA, debt collectors operating in California must be licensed by the DFPI. The law also requires licensed debt collectors to submit annual reports and pay a pro rata assessment to fund DFPI’s oversight of the industry. The final regulations provide critical definitions and reporting requirements to ensure compliance with these obligations.
The DFPI’s final regulations make several key clarifications, including:
Definition of “Net Proceeds”. The regulations establish how debt collectors must calculate net proceeds generated by California debtor accounts, which determines their annual pro rata assessment
Debt Buyers: Net proceeds equal the amount collected minus the prorated amount paid for the purchased debt.
Debt Owners (excluding Debt Buyers): Net proceeds equal fees and charges collected from debtors that would not have been received if the debt had been paid on time.
Other Debt Collectors: Net proceeds equal the total amount received from clients (the companies on whose behalf the debt collectors have been contracted to collect on an account), regardless of fee structure.
For all three categories, net proceeds are calculated before deducting costs and expenses.
Annual Reporting Requirements. Licensees must report (1) the total number of California debtor accounts collected in full or in part, (2) the total number of California debtor accounts where collection was attempted but no payments were received, and (3) the total number of California debtor accounts in the licensee’s portfolio at year-end.
Putting It Into Practice: The DFPI’s final regulations align with the CFPB’s recent push for states to expand regulatory oversight, as outlined in its January 2025 roadmap (previously discussed here). By increasing reporting requirements and clarifying assessment obligations, California is reinforcing its role as a leader in consumer financial protection. Other states may follow suit, signaling a broader trend toward enhanced debt collection oversight at the state level.
Listen to this post
CFPB Moves Forward with Military Lending Act Enforcement Against Installment Lender
On March 10, 2025, the CFPB informed the U.S. District Court for the Northern District of Texas that it will proceed with litigation against a short-term installment lender and its subsidiary for alleged violations of the Military Lending Act (MLA). The lawsuit alleges that the lender violated the MLA and a 2013 administrative consent order by issuing loans to military service members with interest rates exceeding the MLA’s 36% cap, included mandatory arbitration provisions in loan contracts, and failed to provide required disclosures. The CFPB further asserts that these practices continued despite a prior CFPB enforcement order against the lender’s predecessor.
Specifically, the lawsuit alleges that the lender:
Charged interest rates exceeding the MLA’s 36% cap. Between June 2017 and May 2021, the lender allegedly issued over 3,600 pawn loans to more than 1,000 military borrowers with APRs frequently exceeding 200%.
Included mandatory arbitration clauses in loan agreements. The Bureau asserts that loan contracts required military borrowers to submit to arbitration in the event of a dispute, despite the MLA’s explicit prohibition on such provisions.
Failed to provide necessary MLA disclosures. The lender allegedly did not furnish covered borrowers with necessary loan disclosures, including the Military Annual Percentage Rate (MAPR), before or at the time of transaction.
Violated a prior CFPB enforcement order. The lender was subject to a 2013 CFPB consent order barring it and its successors from further MLA violations. The Bureau contends that the lender ignored and continued to engage in prohibited lending practices.
Putting It Into Practice: The CFPB’s decision marks the second MLA enforcement action it decided to move forward with this month (previously discussed here). This signals that MLA enforcement remains a priority under the new administration. Lenders offering credit to military service members should expect continued scrutiny and ensure compliance with MLA requirements.
Listen to this post
GOP Senators Moving to Invoke the Congressional Review Act Over Biden-Era Rules
The CFPB is facing pushback from the U.S. Senate over two final rules issued under the Biden administration: one expanding oversight of nonbank digital payment providers and another limiting the reporting of medical debt. Both efforts invoke the Congressional Review Act (CRA), a legislative mechanism that allows Congress to roll back recently finalized federal regulations.
The CRA gives Congress the authority to nullify federal agency rules within 60 legislative days of their finalization. To successfully repeal a rule, both the Senate and the House must pass a joint resolution of disapproval, which then requires the President’s signature. If a rule is repealed under the CRA, the agency is prohibited from issuing a substantially similar regulation unless Congress explicitly authorizes it.
On March 5, the U.S. Senate voted to repeal the CFPB’s nonbank digital payment supervision rule, which expands the agency’s supervisory authority over large nonbank payment providers. Under the rule (previously discussed here), a nonbank covered person is subject to the Bureau’s supervisory authority if it conducts more than 50 million consumer payment transactions annually. This definition classifies certain large nonbank entities as “larger participants” in the consumer financial market, making them subject to CFPB examinations and reporting requirements.
On March 11, Republican lawmakers introduced a separate resolution to overturn the CFPB’s medical debt reporting rule (previously discussed here), which requires consumer reporting agencies to remove all medical debt data from credit reports, preventing lenders from considering unpaid medical bills when evaluating credit applications. The rule has faced legal challenges since its inception (discussed here and here). The resolution is still pending in the Senate and has not yet been voted on.
Putting It Into Practice: The recent challenges to the CFPB rules using the CRA reflect a broader trend of increased scrutiny over regulatory measures enacted toward the end of the Biden Administration. Moreover, this trend is not isolated to the CFPB, as other agencies have also seen their rules targeted.
Listen to this post
UK Financial Regulators Drop Diversity and Inclusion Rules but Keep Culture in Focus
On 11 March 2025, the UK’s financial regulators confirmed they have decided not to move forward with proposed diversity and inclusion (D&I) rules for financial firms. This decision in a letter by the Financial Conduct Authority (FCA) and a letter by the Prudential Regulation Authority (PRA) marks the end of a long-running debate that has been ongoing since 2023. However, while formal D&I improvement measures are off the table, culture remains firmly in the regulators’ sights, with new rules on non-financial misconduct expected by June 2025.
No New Rules to Improve D&I
The decision not to introduce new D&I regulations follows industry pushback, set against the global landscape where D&I has become a polarized topic in some jurisdictions, including the U.S.. Regulators initially aimed to mandate D&I policies, setting out that diversity was crucial to improving governance, decision-making, and reducing groupthink risks. However, firms raised concerns about the administrative burden and costs associated with mandatory requirements, arguing that existing legislation already addresses many aspects of workplace equality and inclusion.
Culture Still on the FCA’s Agenda
Despite the abandonment of new D&I rules, culture within financial firms remains a key focus for the FCA. It has made it clear that it intends to publish new rules on non-financial misconduct by the end of June 2025. This commitment highlights the FCA’s ongoing effort to tackle cultural issues within the sector, including misconduct that falls outside traditional financial violations.
Non-financial misconduct covers a wide range of issues, including harassment and other inappropriate behaviour within the workplace. By maintaining pressure on firms to address these cultural challenges, the FCA is signalling that it will not tolerate harmful practices within UK’s financial services industry.
Firms should take note that non-financial misconduct will soon be in the regulator’s enforcement remit, and proactive steps to build positive, respectful workplace environments are still important.
NO IMMUNITY: Capital One Sued Over “Refer a Friend” Text – Court Holds Section 230 Does Not Apply
Recently, while shopping around for a new credit card, I was surprised by how many people were eager to “refer” me. It’s a common promotional scheme – someone sends you a referral link or code, and if you use it, they score a bonus. Seems harmless enough, but a recent ruling out of the Western District of Washington has raised an important question—can the company behind these referral programs be held liable for the messages sent? Let’s find out.
Plaintiff Tamie Jensen alleged that she received a text message from a contact, containing content prepared by Defendant Capital One as part of its “Refer a Friend” program. Jensen filed this putative class-action lawsuit on behalf of herself and others who received a “Refer a Friend” text message – claiming that the transmission of this commercial text message violated Washington’s Commercial Electronic Mail Act (“CEMA”) and Consumer Protection Act (“CPA”).
According to the Complaint, users can click the referral button on Capital One’s app or website, prompting Capital One to generate a referral link and compose an editable text message. The user is then allegedly directed to copy and paste the message with the link and send it to their contacts. The Complaint states that on the app (but not the website), a notice underneath the referral button reads: “You confirm you have consent to send text messages to each recipient. You may edit the pre-filled message as desired.” Jensen claims the alleged text message she received had not been edited by her contact before she received it and contained only the pre-filled content composed by Capital One.
In its motion to dismiss the lawsuit, Capital One raised three contentions, including an argument that it is immune under Section 230 of the Communications Decency Act from liability for text messages it did not directly send.
Section 230 isn’t something we talk about here too often, so let me give you a little background – the operative part of Section 230(c)(1) specifies that “no provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” The statute essentially protects online platforms such as Google, Facebook, or Amazon, as well as companies that provide broadband internet access or web hosting from being held legally responsible for information posted by an “information content provider”, or the person or entity actually responsible for the creation or development of information. However, Section 230 does not prevent an interactive computer service from being held liable for information that it has developed. Section 230, therefore, distinguishes those who create content from those who provide access to that content, providing immunity to the latter group. An entity may be both an “interactive computer service” provider and an “information content provider,” but the critical inquiry for applying Section 230’s immunity is whether the service provider developed the content that is the basis for liability.
With that out of the way, let’s get into Jensen and Capital One’s specific contentions. Jensen argued that she complains of content provided—either entirely or mostly—by Capital One, not by a third party (the “friend” who sent her the referral text). Capital One, however, argued that because it merely provided suggested language, and its customers retained control over whether to or what to text to their friends, Capital One should not be liable for the text messages and language that its customers chose to send.
The Court agreed with Jensen, holding that the offending content for the purposes of the alleged CEMA violation is the referral link—which was composed in its entirety by Capital One with respect to the text Jensen received. Although Capital One emphasized that senders retain the ability to modify the content of the “Refer a Friend” texts, the text Jensen allegedly received was not modified. The Court distinguished the situation here from that in Carafano v. Metrosplash.com, Inc., 339 F.3d 1119, 1122 (9th Cir. 2003), where the defendant was an online dating site that required users to complete a multiple-choice survey to create a profile. A user created a false and defamatory profile for a celebrity, who then sued the site. The Ninth Circuit held that, although the site required its users to complete the survey, because the site did not play a significant role in creating, developing, or transforming the relevant information—the defamatory information—the dating site was protected by Section 230. Here, however, because Jensen alleged that Capital One is the sole author of the content of the text that she received, the Court held that Capital One is not entitled to Section 230 immunity.
The Court also rejected Capital One’s two other grounds for dismissing the Complaint – that Jensen’s claims seek to interfere with Capital One’s power to advertise and market its credit cards, and are therefore preempted by the National Bank Act (“NBA”), and that Jensen did not state a CEMA claim because she failed to allege that Capital One either initiated the text message or substantially assisted in transmitting the message.
Briefly, CEMA imposes liability for persons conducting business in Washington who “initiate” or “assist” in transmitting a commercial text message to a telephone number assigned to a Washington resident’s cell phone. CEMA defines “assist the transmission” as providing “substantial assistance or support.” WASH. REV. CODE § 19.190.010(1). Interestingly, Capital One essentially conceded that it assisted its customers in transmitting text messages but argued that the assistance it provided was not “substantial.” The Court disagreed, finding that Jensen’s allegations that Capital One generates a referral link and other content of a text message that customers are asked to copy and send to their contacts are sufficient to support a finding that Capital One substantially assisted its customers in formulating, composing, and sending commercial text messages. Although Capital One emphasized the part of the process that is outside its control (when to send messages, who to send messages to, whether Capital One’s provided language should be edited or sent as is), the Court held that these arguments go to the merits of the CEMA claim, rather than the sufficiency of Jensen’s allegations.
Capital One also attempted to argue that it notified its customers only to send texts to people who have consented to receive them and did not know that the text messages would be sent without consent. However, Capital One’s description of the notice was found to be only partially accurate: the notice on the mobile app indicates that the customer should have received consent to send “text messages” to the recipient, but not that the customer should have received consent to send the particular commercial text message. The Court rejected Capital One’s argument that a “natural reading” of the notice would tell a consumer to only send the specific commercial text with consent and instead concluded that the plain language of the notice suggests that the consent at issue is the consent to send text messages in general.
Lastly, the Court rejected Capital One’s contention that CEMA represents a significant restriction on Capital One’s ability to advertise its credit cards, and is thereby preempted by the NBA, which gives federally chartered banks the power “[t]o exercise … all such incidental powers as shall be necessary to carry on the business of banking.” 12 U.S.C. § 24. The Court held that CEMA’s generally applicable restrictions on the manner of advertising would not restrict all forms of Capital One’s advertising, or even all forms of advertising via text message. Accordingly, the Court found that requiring Capital One to comply with CEMA would not significantly impair its ability to advertise its credit cards and thus found no preemption here.
The Future of Section 230
A particularly interesting part of this decision is when the Court notes that “the purpose of Section 230 immunity—to encourage Internet service providers to voluntarily monitor and edit user-generated speech in internet traffic—would not be served by protecting Capital One from liability in this case.” As acknowledged by the Court, the “two basic policy reasons” for Section 230 immunity are “to promote the free exchange of information and ideas over the Internet and to encourage voluntary monitoring for offensive or obscene material.” Remember, this statute was enacted back in 1996. At the time, the feeling was that the threat of being sued into oblivion by anyone who felt wronged by something someone else posted would naturally disincentivize online platforms that were still very much in their nascent stage of growth – and not the tech giants we see today. Over the years, there have been numerous attempts to reform Section 230, ranging from outright repeal to reinterpreting the scope of protected activities (for example, limiting or eliminating protection of child sexual abuse material has been one of the few bipartisan efforts in recent years), placing conditions on platforms that wish to avail the immunity, and altering the “Good Samaritan” provisions to address what are perceived to be politically motivated content removals.
Of course, this brings us to the question of who actually decides the scope of Section 230 – until not too long ago, the clear answer was the FCC. However, the Supreme Court’s decision in Loper Bright v. Raimondo stripped the FCC of its ability to broadly interpret statutes. Nevertheless, FCC Chairman Brendan Carr made his views on Section 230 perfectly clear in his chapter of Project 2025, stating that, “The FCC should issue an order that interprets Section 230 in a way that eliminates the expansive, non-textual immunities that courts have read into the statute.” While the FCC’s authority to do this in a post-Loper world is questionable, Carr also adds, “The FCC should work with Congress on more fundamental Section 230 reforms […] ensuring that Internet companies no longer have carte blanche to censor protected speech while maintaining their Section 230 protections.”
Conclusion
So, to answer the question I started with – yes, a corporation can be held liable for the transmission of a message it developed. Even with a Section 230 shakeup on the horizon, it doesn’t look like Capital One will be offered any respite in this case.
However, it will be interesting to see what stance the FCC does take on the future of Section 230 – and we may find out sooner rather than later in light of the deregulation initiative announced on March 12, 2025.
Meanwhile, you can read the Court’s order here: Jensen v. Capital One Financial Corp., 2025 WL 606194 (W.D. Wash. Feb. 25, 2025).
Privacy Tip #435 – Threat Actors Go Retro: Using Snail Mail for Scams
We have educated our readers about phishing, smishing, QRishing, and vishing scams, and now we’re warning you about what we have dubbed “snailing.” Yes, believe it or not, threat actors have gone retro and are using snail mail to try to extort victims. TechRadar is reporting that, according to GuidePoint Security, an organization received several letters in the mail, allegedly from the BianLian cybercriminal gang, stating:
“I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.”
The letter alleges that the recipient’s network “is insecure and we were able to gain access and intercept your network traffic, leverage your personal email address, passwords, online accounts and other information to social engineer our way into [REDACTED] systems via your home network with the help of another employee.” The threat actors then demand $250,000-$350,000 in Bitcoin within ten days. They even offer a QR code in the letter that directs the recipient to the Bitcoin wallet.
It’s comical that the letters have a return address of an actual Boston office building.
GuidePoint Security says the letters and attacks mentioned in them are fake and are inconsistent with BianLian’s ransom notes. Apparently, these days, even threat actors get impersonated. Now you know—don’t get scammed by a snailing incident.