November 2024 Regulatory Roundup

PRIVACY & DATA SECURITY

California Approves New Regulations for Data Brokers Under the Delete Act

On November 8th, the California Privacy Protection Agency (CPPA) Board approved new regulations for data brokers that enhance the Delete Act's provisions. Notably, the new rules expand the definition of a data broker by limiting the exemption for a direct relationship with a consumer in two key ways: (1) requiring the consumer to have intentionally interacted with the business in the past three years and (2) carving out personal information that is not directly collected by the business from the consumer from the relevant exemption. The regulations also move forward development of a single request data deletion platform which data brokers will be required to utilize to receive deletion requests starting January 2026.?

BUSINESSES NEED TO KNOW: Enforcement of the Delete Act’s registration requirement has already begun with a well-publicized data broker sweep last month that has resulted in fines and settlements for noncompliant businesses. Under the newly expanded definition of a data broker, many businesses that previously fell outside its scope may now be considered data brokers subject to registration and other requirements. Businesses that engage in any sales of Californians’ personal information should carefully evaluate whether they meet the definition of a data broker.

Federal Judge Rules Illinois Biometric Privacy Law Amendment Applies Retroactively

A federal judge ruled that amendments to Illinois' Biometric Information Privacy Act (BIPA), which limit damages for repeated biometric data collection, apply retroactively to lawsuits filed before the changes were enacted. The amendment, Public Act 103-0769, limits businesses' liability by treating multiple collections of biometric data in the same manner as a single violation. The decision came in a case against Central Transport LLC, which had been accused of unlawfully collecting an employee's fingerprints for timekeeping, in which the judge found that the amendment clarifies rather than changes existing law.

BUSINESSES NEED TO KNOW: By establishing that the amendment was a clarification, not an overhaul, of the law, it applies as if it had been in effect since BIPA's enactment. That means plaintiffs can only seek a single recovery for repeated biometric data collections, significantly reducing the potential financial exposure for businesses in such cases. However, businesses collecting biometric information from Illinois residents should still carefully review their compliance with BIPA as they may encounter substantial liability risk when collecting improperly from a large group on individuals.

TCPA/TELESERVICES

What Will the FCC Look Like Under Brendan Carr?

Tapped to take the helm under the new Trump administration, Commissioner Brendan Carr will no doubt be shifting the FCC’s policy and enforcement priorities. In fact, as author of the FCC chapter in Project 2025, he has essentially already shared his roadmap. Businesses can expect a push for substantial reforms in U.S. telecommunications policy, including overturning Democratic-backed net neutrality rules, revising the government’s approach to shielding online service providers from liability for user-generated content, and relaxing restrictions on broadcast media ownership consolidation.

BUSINESSES NEED TO KNOW: What does this mean for the TCPA and other telemarketing regulations? We’ll be taking a deeper dive on December 18th into what to expect when it comes to things like 1:1 consent, call blocking, robocall enforcement, AI regulations, and much more. Register here to join us!

Washington's CEMA Spurs Class Action Lawsuits Over Referral Programs

Class action lawsuits using Washington state's Consumer Electronic Mail Act (CEMA) for TCPA-like violations related to “refer-a-friend” text marketing programs are on the rise. Enacted in 2003, CEMA prohibits businesses from sending or substantially assisting in transmitting unsolicited commercial text messages to Washington residents without clear consent. However, with the term “substantial assistance” undefined, CEMA offers a potentially broader scope for litigants than the federal TCPA. Leveraging this, recent lawsuits against companies such as Robinhood and Capital One illustrate the varied approaches plaintiffs are taking in asserting companies enabled unsolicited text messages – including pre-composing messages, offering referral rewards, and simplifying message transmission - even if their users send the messages themselves

BUSINESSES NEED TO KNOW: CEMA’s statutory damages of $500 per unlawful message and its expansive interpretation of “assistance” increase companies’ exposure. Businesses with referral programs targeting Washington residents should carefully review their practices or consider restricting program access to minimize legal risks.

FCC Tightens Caller ID Authentication Rules to Combat Robocalls

The FCC unanimously adopted stricter regulations to strengthen caller ID authentication under the STIR/SHAKEN framework, aiming to better combat spoofed robocalls. The new rules establish clear guidelines for telecom providers using third-party services to verify caller ID information, aiming to prevent telecoms from sidestepping responsibility for verifying caller IDs.

The updated order mandates that providers make attestation-level decisions themselves and use their own certificates for signing calls, even when involving third parties. It also introduces recordkeeping requirements, new technical parameters for third parties, and a definition of "third-party authentication" to clarify both what is allowed and prohibited by the new rules.

BUSINESSES NEED TO KNOW: The FCC continues to tighten authentication protocols under the STIR/SHAKEN framework.? Telecom providers should review their compliance policies as they now have increased liability for signing off on calls, regardless of whether the provider is using third-party services.? Providers should also review their contracts and agreements to ensure their partners are in compliance with the upcoming changes.

Unwanted Telemarketing Call Complaints Down More Than 50 Percent Since 2021

The FCC released its 2024 National Do Not Call Data Registry Book and there’s some good news in there. Consumer reports regarding unwanted calls have dropped for the third year in a row, with total complaint volume down by more than 50% since 2021. Cheers to all the businesses maintaining compliance with a dizzying array of state and federal telemarketing laws.

BUSINESSES NEED TO KNOW: Unfortunately, given the TCPA’s lucrative draw for plaintiffs, this decline in complaints is not accompanied by a correlating decline in lawsuits. According to the U.S. Chamber of Commerce Institute for Legal Reform, TCPA lawsuits have been on the rebound following a post-Duguid drop and continue to top the charts for consumer class actions. In fact, the TCPA and similar state laws “continue to fuel massive litigation abuse from plaintiffs’ lawyers,” with just 10 repeat players accounting for more than half of federal TCPA litigation.

ADVERTISING & MARKETING

FTC Charges Sitejabber with Deceptive Practices Over AI-Enabled Consumer Reviews

The Federal Trade Commission (FTC) has charged Sitejabber, an AI-enabled consumer review platform, with deceiving consumers by misrepresenting that its published ratings and reviews were from customers who had experienced the reviewed products or services. Instead, Sitejabber allegedly inflated average ratings and review counts using feedback collected at the point of purchase or pre-fulfillment, before customers had the opportunity to experience the products or services. Inflated ratings and reviews were displayed on their site, as well as on Google and client websites.

The?proposed order?prohibits Sitejabber from making or assisting others in misrepresentations about consumer ratings and reviews, including statements that the average customer rating, number of ratings or reviews, or any rating or review of a product, service, or business reflects the views of customers who actually received the product or service purchased or had an opportunity to experience the product or service.

BUSINESSES NEED TO KNOW: All businesses, including those in newer, disruptive industries such as AI, should take note of the FTC’s continuing enforcement efforts. Businesses may not falsify or misrepresent customer reviews or experiences and should take care to ensure that any customer endorsements reflect actual customer experiences.

Join M&S Partners Michele A. Shuster , Helen Mac Murray & Joshua Stevens for our annual Crystal Ball Predictions webinar, where they will discuss their predictions on regulatory activity in 2025. Register Now.

Learn how we can help keep you in compliance and ahead of the regulatory curve. Let's Talk.

Want to receive Regulatory Roundups right to your inbox? Subscribe.