As we reach the peak of this year’s Spooky Season, we thought it would be helpful to revisit some of the scariest recent developments in the realm of TCPA litigation and compliance.  The conventional wisdom is that some of the new rules and regulations coming into play around the TCPA are going to lead to even more litigation under the statute.  But at the same time, the Supreme Court’s ruling earlier this year in Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024), has called into question much of what we thought we knew about administrative law, leading to ambiguity and uncertainty surrounding the TCPA and many other statutes. 

One-to-One Consent Rule

We’re now just under three months away from the January 27, 2025 effective date of the FCC’s one-to-one consent rule.  Formally adopted in December 2023, the rule requires that prior express written consent be obtained separately for each company seeking to use such consent.  This raises significant concerns about a company’s ability to communicate with not only third-party leads but also many first-party leads, if consent is not adequate under the new rule. 

The TCPA has long required prior express written consent for calls and texts that contain an artificial or prerecorded voice or are sent using an “automatic telephone dialing system.”  But the new rule states, in relevant part, that:Continue Reading TCPA Turnstile: Four Scariest Developments (and a Potential Ray of Light Amid the Fright) (TCPA Update Vol. 19)

On July 30, 2024, the Texas Attorney General’s Office announced a $1.4 billion settlement of biometric privacy claims brought against Meta arising from Meta’s historical use of facial recognition technology on photographs posted to Facebook’s social media platform.Continue Reading Texas and Meta Settle Biometric Data Litigation for $1.4 Billion

For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach.  There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?

Last week, a sharply divided U.S. Securities and Exchange Commission (“SEC”) significantly increased reporting requirements on public companies by adopting a Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the “Rule”)[1] that requires, among many other things, reporting of “cybersecurity incidents” within only four business days of a “materiality” determination (subject to limited exceptions involving national security or public safety, as determined by the U.S. Attorney General).  As justification for this extremely short reporting period, the SEC cited the 72-hour “discovery” and 24-hour ransom payment reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  But there is a critical distinction: The CIRCIA reporting requirements are confidential, whereas the reporting requirements under the Rule are public.  Why does that matter?  Among other reasons, a requirement for rapid public reporting may well lead to more cybersecurity incident class actions (whether meritorious or not).Continue Reading Cybersecurity Sheriffs Continue to Multiply and Crack Down – New SEC Rule Amps Up Public Company Pressure

Just over halfway through 2023, nationwide TCPA jurisprudence is focused on further delineating the scope of the TCPA. As the dust settles from earlier battles over defining ATDS requirements, the cases from this year are largely aimed at establishing who can bring a claim under the TCPA and what conduct the statute covers. We summarize here developments since our last update, listed in alphabetical order by topic area.Continue Reading TCPA Turnstile: Scoping out the TCPA – 2023 Midyear Update (TCPA Case Update Vol. 18)

On March 15, 2023, the SEC reopened the comment period on proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies and business development companies that were proposed on February 9, 2022. The initial comment period ended on April 11, 2022. A previous Vedder Price summary of the proposals is available here. Comments on the proposals are now due by May 22, 2023.Continue Reading SEC Reopens Comment Period for Investment Adviser and Investment Company Cybersecurity Proposals in Connection with Other Cyber and Data Privacy Related Proposals

In a highly anticipated decision, the Illinois Supreme Court recently held that a separate claim accrues under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.) each time biometric data or information is collected and/or disclosed.  The Supreme Court’s holding in Cothron v. White Castle System, Inc., 2023 IL 128004, is likely to have a profound impact on both the ability of plaintiffs to file BIPA claims and the calculation of liquidated damages for such claims.   Continue Reading BIPA ALERT: Illinois Supreme Court Opens the Door to “Punitive, Crippling Liability” for Illinois Businesses

In a ruling that is unlikely to significantly alter the landscape of litigation under the Illinois Biometric Information Privacy Act (“BIPA” or the “Act”) (740 ILCS 14/1 et seq.), the Illinois Supreme Court recently clarified that a five-year statute of limitations is applicable to all claims under the Act.  The Supreme Court’s holding in Tims, et al. v. Black Horse Carriers, Inc. clarifies the applicable statute of limitations period for BIPA claims, but does not address the critical question of when claims accrue under the Act.Continue Reading BIPA ALERT: Five Year Statute of Limitations Applicable to All BIPA Claims