As we reach the peak of this year’s Spooky Season, we thought it would be helpful to revisit some of the scariest recent developments in the realm of TCPA litigation and compliance.  The conventional wisdom is that some of the new rules and regulations coming into play around the TCPA are going to lead to even more litigation under the statute.  But at the same time, the Supreme Court’s ruling earlier this year in Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024), has called into question much of what we thought we knew about administrative law, leading to ambiguity and uncertainty surrounding the TCPA and many other statutes. 

One-to-One Consent Rule

We’re now just under three months away from the January 27, 2025 effective date of the FCC’s one-to-one consent rule.  Formally adopted in December 2023, the rule requires that prior express written consent be obtained separately for each company seeking to use such consent.  This raises significant concerns about a company’s ability to communicate with not only third-party leads but also many first-party leads, if consent is not adequate under the new rule. 

The TCPA has long required prior express written consent for calls and texts that contain an artificial or prerecorded voice or are sent using an “automatic telephone dialing system.”  But the new rule states, in relevant part, that:Continue Reading TCPA Turnstile: Four Scariest Developments (and a Potential Ray of Light Amid the Fright) (TCPA Update Vol. 19)

On August 13, 2024, the Texas Attorney General’s Office (Texas AGO) filed a claim under Texas’s Deceptive Trade Practices-Consumer Protection Act challenging General Motors’ collection and use of data collected from consumers regarding their driving history. The Texas AGO’s complaint implicates thorny issues regarding how companies prepare and roll out privacy disclosures to consumers. The complaint also reiterates the importance of implementing clear, informed written consent processes when collecting and using consumer data.Continue Reading Texas Attorney General Challenges General Motors’s Collection and Sale of Driving Data

On April 26, 2024, the Federal Trade Commission (FTC) announced that it had finalized changes to the Health Breach Notification Rule (HBNR). These changes, which go into effect on June 25, 2024, are intended to modernize aspects of the HBNR such that the HBNR applies to entities not covered under the Health Insurance Portability and Accountability Act (HIPAA). The updated HBNR follows the FTC’s previously stated intention in a 2021 policy statement to broaden the interpretation of the HBNR to address the growing number of digital health applications, websites, and consumer-facing technology that were not subject to HIPAA. The scope of the finalized rule therefore aims to apply the HBNR to health care technology and digital health companies that obtain personal health records (PHR) and PHR identifiable health information.Continue Reading FTC Finalizes Broader Changes to the Health Breach Notification Rule

Last week, the U.S. Securities and Exchange Commission (“SEC”) became the latest federal regulator to implement a data breach notification law. The commissioners unanimously voted to approve amendments to Regulation S-P (the “Final Rule”)—the regulation governing the use of consumers’ personal information and records—to require certain financial institutions to adopt and maintain data incident response procedures and to require notification to consumers of the potential compromise of their data within 30 days of discovery.Continue Reading SEC Joins Chorus of Regulators Requiring Data Breach Notifications

For years, we were able to tell most clients experiencing a potential data security incident that they likely had at least 30 days to notify any third parties about the incident – if they concluded it was a breach.  There were, of course, exceptions in certain regulated industries, but most companies fell within the scope of the general state data breach notification statutes, none of which required a response sooner than 30 days. And for many years, we didn’t have to worry about more urgent deadlines created by federal authorities. Continue Reading Breach Response: Is 72 hours the new 30 days?

On August 8, 2023, the United States Securities and Exchange Commission (the “SEC” or the “Commission”) announced that 11 Wall Street firms (10 broker-dealer firms and one dually-registered investment adviser) agreed to settle charges for failing to properly maintain and preserve electronic communications relating to firm business. This included text messages and other messages sent

Just over halfway through 2023, nationwide TCPA jurisprudence is focused on further delineating the scope of the TCPA. As the dust settles from earlier battles over defining ATDS requirements, the cases from this year are largely aimed at establishing who can bring a claim under the TCPA and what conduct the statute covers. We summarize here developments since our last update, listed in alphabetical order by topic area.Continue Reading TCPA Turnstile: Scoping out the TCPA – 2023 Midyear Update (TCPA Case Update Vol. 18)

As 2022 comes to a close, we wanted to look back at the most significant Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”) decisions of the year.  While we didn’t see the types of landscape-altering decisions that we saw in 2021, there’s still plenty to take note of.  We summarize here the biggest developments since our last update, listed by issue category in alphabetical order.
Continue Reading TCPA Turnstile: 2022 Year in Review (TCPA Case Update Vol. 17)

Much ink has been spilled over the Executive Order Enhancing Safeguards for United States Signals Intelligence Activities (the “Executive Order”) signed by President Biden in early October.  The Executive Order is supposed to establish the United States’ commitments reflected in the March 25, 2022 joint EU-U.S. announcement of the Trans-Atlantic Data Privacy Framework (the “Framework”).  While the Framework is described as an “agreement in principle” to facilitate cross-border transfer of personal data, the Executive Order is supposed to go further, toward actually implementing the promised protective measures.  But does it?
Continue Reading Does the Latest Move in Trans-Atlantic Privacy Really Change the Game?

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:Continue Reading UK-US Data Transfers Post Brexit