Privacy

Subscribe to Privacy via RSS
Computer security

What was intended as a safeguard against abusive telemarketing is being twisted into a potentially far more sweeping restriction, raising serious First Amendment concerns for corporate communicators of people’s contact information. Colorado’s Prevention of Telemarketing Fraud Act’s (“PTFA”) listing provision (“Listing Provision”) threatens corporate sharing of cell phone numbers, regardless of whether these cellular phone numbers are already in the public domain. In just the past year, plaintiffs’ attorneys have filed almost 30 PTFA putative class actions, claiming that Coloradans’ cell phone numbers are presumptively private no matter how widely disseminated. In these shakedown suits, plaintiffs’ attorneys target companies for alleged knowing listing of “a cellular telephone number in a directory for a commercial purpose unless the person whose number has been listed has given affirmative consent[.]” Colo. Rev. Stat. Ann. § 6-1-304(4).Continue Reading Beware Plaintiffs Threatening the First Amendment – Colorado PTFA Listing Provision Litigation Seeks to Muzzle Freedom of Speech

Asian businesswoman using smartphone in airport lounge

Since our last TCPA update, the biggest development was the Supreme Court’s ruling in McLaughlin Chiropractic Associates, Inc. v. McKesson Corp., which we wrote about here, which established that federal courts are not bound by the FCC’s interpretation of the TCPA.  In the wake of McLaughlin, courts and litigants alike have wrestled with how much deference (if any) to give to the FCC’s many regulations interpreting the TCPA, as parties are now free to challenge agency rulings that they believe are not in line with the law, and district courts can independently interpret the TCPA.  We summarize here the major developments since our last update, listed in alphabetical order by topic area.Continue Reading TCPA Turnstile: Living in a Post-McLaughlin World (TCPA Update Vol. 21)

Faced with waves of consumer lawsuits targeting common website tools like browser cookies, tracking pixels, and live chat features, businesses are often frustrated by the outsized exposure posed by seemingly “no-injury” claims. (See, for example, last week’s post about CIPA claims.) The Ninth Circuit Court of Appeals recently provided some comfort by clarifying what a plaintiff must allege to show “concrete injury” as required for Article III standing. The court’s decision in Popa v. Microsoft Corp., No. 24-14, 2025 WL 2448824 (9th Cir. Aug. 26, 2025), strengthens defenses to online privacy claims—with broad application to other types of consumer claims as well—holding that standing requires more than just an alleged statutory violation.Continue Reading Popa v. Microsoft Corporation, et al.: Ninth Circuit Clarifies Article III Standing Requirements and Strengthens Defenses to Internet Privacy and Other Consumer Claims

cybersecurity concept Global network security technology, business people protect personal information. Encryption with a padlock icon on the virtual interface.

When we speak to clients about online privacy issues, they almost always mention the CCPA – California’s Consumer Privacy Act that regulates the collection and use of personal data. But unless they have already faced a lawsuit, pre-suit demand, or arbitration demand, our clients rarely mention the other four-letter California statute that has been the source of significant litigation over the past few years.  And that’s CIPA – California’s Invasion of Privacy Act.Continue Reading CIPA: The “Other” California Privacy Statute You Should Be Worried About

With its recent ruling in McLaughlin Chiropractic Associates, Inc. v. McKesson Corp., 606 U.S. ___ (2025), the U.S. Supreme Court has continued its trend of reining in the power of agencies and giving litigants more avenues to push back against administrative rulemaking.  This will have significant consequences in the context of statutes like the Telephone Consumer Protection Act (“TCPA”), which has steadily increased in scope over the years thanks to the Federal Communications Commission (“FCC”).  More generally, the Court’s decision in McLaughlin Chiropractic, paired with last year’s decision in Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024) (which we discussed here), raises significant questions about whether those FCC regulations carry any meaningful weight at this point.Continue Reading SCOTUS Ruling Tips the Scales in Favor of District Courts, Not the FCC, When it Comes to Interpreting TCPA

California is a bellwether for privacy laws, which is why we’ve been watching carefully as recent events suggest that business-friendly interests may be gaining a foothold in what has historically been one of the most restrictive states in the country.  Since the landmark California Consumer Privacy Act (“CCPA”) went into effect in 2020, interest groups, regulators, and politicians have been battling to impact the future of the statute and related regulations.  Meanwhile, creative plaintiffs’ lawyers have turned their focus to the California Invasion of Privacy Act (“CIPA”) to argue that California’s eavesdropping statute also applies to online tracking technologies.  But recent developments related to both the CIPA and the CCPA may give businesses reason for hope.Continue Reading Is California cooling to privacy law run amok?

On April 21, 2025, a Ninth Circuit en banc panel revived (by a 10-1 decision) a putative class action against Shopify, Inc. alleging violations of privacy and data rights via use of cookies. In reversing both the district court and the original Ninth Circuit three-judge panel, the en banc panel adopted an alarmingly expansive view of specific personal jurisdiction over Internet-based companies. We hope Shopify seeks and the U.S. Supreme Court grants certiorari.Continue Reading Opening Door to Universal Jurisdiction in Internet Cases, En Banc Ninth Circuit Finds Specific Personal Jurisdiction Over Shopify

On January 24, 2025, the Illinois Supreme Court ruled in Petta v. Christie Business Holding Co., P.C., 2025 IL 130337, that a patient who alleged an increased risk of harm arising from a data breach at a medical clinic did not suffer an injury in fact sufficient to confer standing.Continue Reading Illinois Supreme Court: Increased Risk of Harm Arising from a Data Breach Is Insufficient to Confer Standing

As we reach the peak of this year’s Spooky Season, we thought it would be helpful to revisit some of the scariest recent developments in the realm of TCPA litigation and compliance.  The conventional wisdom is that some of the new rules and regulations coming into play around the TCPA are going to lead to even more litigation under the statute.  But at the same time, the Supreme Court’s ruling earlier this year in Loper Bright Enterprises v. Raimondo, 144 S. Ct. 2244 (2024), has called into question much of what we thought we knew about administrative law, leading to ambiguity and uncertainty surrounding the TCPA and many other statutes. 

One-to-One Consent Rule

We’re now just under three months away from the January 27, 2025 effective date of the FCC’s one-to-one consent rule.  Formally adopted in December 2023, the rule requires that prior express written consent be obtained separately for each company seeking to use such consent.  This raises significant concerns about a company’s ability to communicate with not only third-party leads but also many first-party leads, if consent is not adequate under the new rule. 

The TCPA has long required prior express written consent for calls and texts that contain an artificial or prerecorded voice or are sent using an “automatic telephone dialing system.”  But the new rule states, in relevant part, that:Continue Reading TCPA Turnstile: Four Scariest Developments (and a Potential Ray of Light Amid the Fright) (TCPA Update Vol. 19)

Judge or auction gavel on Texas US America flag background. 3d illustration

On August 13, 2024, the Texas Attorney General’s Office (Texas AGO) filed a claim under Texas’s Deceptive Trade Practices-Consumer Protection Act challenging General Motors’ collection and use of data collected from consumers regarding their driving history. The Texas AGO’s complaint implicates thorny issues regarding how companies prepare and roll out privacy disclosures to consumers. The complaint also reiterates the importance of implementing clear, informed written consent processes when collecting and using consumer data.Continue Reading Texas Attorney General Challenges General Motors’s Collection and Sale of Driving Data