PRIVACY & DATA SECURITY
Wells Fargo, Partners Settle for $19.5M Over Secretly Recorded Calls to California Small Businesses
Wells Fargo, along with its partners, telemarketing firm Credit Wholesale Co. and payment processor Priority Commerce, agreed to a $19.5 million settlement to resolve allegations they illegally recorded small businesses’ calls in violation of the California Invasion of Privacy Act (CIPA). The lawsuit accused the companies of secretly recording telemarketing cold calls made by Credit Wholesale on behalf of Wells Fargo and Priority Commerce. The settlement also includes prospective relief, barring future calls from recording without disclosure. Fargo and Priority maintained that there was no principal-agent relationship with Wholesale and that Wholesale acted outside the scope of its authority by illegally recording calls.
BUSINESSES NEED TO KNOW: The proposed settlement, one of the largest ever under CIPA, would provide an average payout of $680 to nearly 19,000 claimants if approved – a figure substantially higher than previous CIPA class member payouts. It also highlights that CIPA suits can apply to B2B communications, not just B2C.
CCPA Fines Todd Snyder $345K for Mishandling Consumer Data Opt-Outs
The California Privacy Protection Agency (CPPA) issued its second public enforcement action under the California Consumer Privacy Act (CCPA), fining menswear retailer Todd Snyder Inc. more than $345,000. The agency alleged that the company failed to properly process consumer requests to opt out of the sale and sharing of personal data due to misconfigured privacy tools for 40 days in late 2023 and imposed excessive identity verification requirements.
Emphasizing that businesses are responsible for ensuring their privacy management systems function correctly, even when using third-party tools, the CPPA claimed that Todd Snyder would have known consumers weren’t able to exercise their opt-out rights if it had been monitoring its website rather than deferring to third-party privacy management tools “without knowing their limitations or validating their operation.” Todd Snyder has agreed to pay the fine and implement corrective measures, including employee training and improved opt-out mechanisms.
BUSINESSES NEED TO KNOW: With its hammer coming down on just 40 days of noncompliance, the CPPA is sending a strong enforcement message. The head of the privacy agency’s enforcement division has a clear warning: “Businesses should scrutinize their privacy management solutions to ensure they comply with the law and work as intended, because the buck stops with the businesses that use them. Using a consent management platform doesn’t get you off the hook for compliance.”
Senators Introduce “Don’t Sell My DNA Act” to Protect Genetic Privacy in Bankruptcy Cases
In response to 23andMe’s plan to sell users’ genetic data during its Chapter 11 bankruptcy, a bipartisan group of U.S. senators introduced the Don’t Sell My DNA Act, aimed at protecting consumer genetic privacy. The bill would update the Bankruptcy Code to include genetic data under “personally identifiable information” and require consumer consent before such data can be sold, leased, or used.
The proposed legislation follows public criticism and regulatory concern over Regeneron Pharmaceuticals’ successful $256 million bid for 23andMe’s assets, including its biobank. Regeneron has pledged to prioritize “the privacy, security and ethical use” of 23andMe’s customer data, and a privacy ombudsman has been appointed to assess the sale’s compliance with privacy and cybersecurity standards.
BUSINESSES NEED TO KNOW: Here’s a reminder that in any business sale, data is a valuable part of the transaction and may be subject to increased legal scrutiny. This is especially true when dealing with sensitive consumer information which must be handled with the highest level of care, transparency, and compliance.
TCPA & TELESERVICES
2025 TCPA Litigation Trends
The numbers are in for April, and they’re not looking great. According to WebRecon, although TCPA class actions dipped slightly this month, they are still up a whopping 74% vs. the same time last year. And year to date through April? They’ve more than doubled. Moreover, unlike other consumer protection statutes where class actions represent just a small percentage of total litigation, they comprise the vast majority – almost 80%! – of all TCPA lawsuits, remaining a lucrative hunting ground for opportunistic plaintiffs.
BUSINESSES NEED TO KNOW: We’ll keep saying it – proactive compliance with the TCPA (and other telemarketing laws) is not “optional” for consumer-facing businesses looking to stay in business. With TCPA lawsuits continuing to be on the rise overall, companies should ensure they stay up to date with legal requirements for their calling and telemarketing efforts or they may find themselves targeted.
ADVERTISING & MARKETING
FTC Delays Enforcement of “Click-to-Cancel” Rule to July 14
The FTC postponed enforcement of its new “Click-to-Cancel” rule by 60 days, moving the enforcement date of this Negative Option Rule provision to July 14, 2025. The delay came after a reassessment of the compliance burden on businesses, with the agency acknowledging that the original timeline did not fully account for the complexity of compliance implementation.
The rule targets “negative option” programs—subscriptions or services that continue unless the consumer affirmatively cancels. It requires businesses to provide a simple, accessible cancellation method that is symmetrical to the signup method, especially for online sign-ups, and mandates obtaining informed consent and record retention for at least three years. It also prohibits deceptive practices related to subscription terms.
BUSINESSES NEED TO KNOW: While the FTC has delayed enforcement of the “Click-to-Cancel” Rule and signaled that it is open to future amendments “if that enforcement experience exposes problems with the Rule,” businesses should still prepare now for implementing the rule’s requirements. Companies should ensure that their disclosure, consent, and cancellation mechanisms are up to par in advance of July 14th. Now is also a good time to review and fine tune automatic renewal processes to comply with state automatic renewal laws, which may impose additional requirements.
Applebee’s Faces Class Action Over Hidden Delivery Fees in California
A proposed class action filed in California federal court accused Applebee’s of using deceptive “bait-and-switch” tactics to add undisclosed junk fees—such as delivery charges, service fees, and a misleading “CA Delivery Surcharge”—to online food delivery orders. Plaintiff Michael Drake alleged that these fees, revealed only at the final checkout step, violate California’s Unfair Competition Law, Consumer Legal Remedies Act, and False Advertising Law by misrepresenting the actual cost of orders and falsely implying some charges are government-mandated. The suit claims Applebee’s is passing on business costs to consumers without transparency, inflating order totals by up to 30%. Similar lawsuits have recently been filed against other major restaurant chains, including Shake Shack and Chipotle, for comparable practices.
BUSINESSES NEED TO KNOW: Lawmakers and regulators have increasingly scrutinized “junk fees,” which are hidden or unexpected charges that businesses add to the cost of a product or service. Pricing transparency, especially for businesses in e-commerce and delivery services, is critically important. Additional fees – whether labeled as service charges, surcharges, or delivery costs—must be clearly disclosed upfront, not at the checkout stage (known as “drip pricing”), to avoid potentially violating consumer protection laws. Misleading or ambiguous fee names that imply government mandates or unrelated services can also be considered deceptive practices that can invite legal scrutiny. Businesses should review their pricing structures, ensure all charges are clearly explained early in the purchasing process, and avoid shifting operational costs (like regulatory compliance) to customers without clear disclosure.
FTC Rule on Unfair or Deceptive Practices Now in Effect
The Federal Trade Commission’s Rule on Unfair or Deceptive Fees took effect May 12th. The Rule addresses certain unfair or deceptive practices involving fees or charges for live-event tickets and short-term lodging. These include bait-and-switch pricing that hides the total price by omitting mandatory fees and charges from advertised prices, as well as misrepresenting the nature, purpose, amount, and refundability of fees or charges.
The rule specifies that it is an unfair and deceptive practice for businesses to 1) offer, display, or advertise any price of live-event tickets or short-term lodging without clearly, conspicuously, and prominently disclosing the total price, and 2) misrepresent any fee or charge in any offer, display, or advertisement for live-event tickets or short-term lodging. Further, businesses must clearly and conspicuously make certain disclosures before a consumer consents to pay.
BUSINESSES NEED TO KNOW: Although the rule focuses on live-event ticketing and short-term lodging, its pricing transparency requirements illustrate best practices for all businesses. The FTC has published an FAQ resource to better understand the rule, which includes examples of pricing misrepresentations that may be in violation.
Happening this week!
M&S Webinar: Wait, I’m Covered for That…Right? Understanding Insurance for Marketing, Advertising, and Cyber Risks. Register here.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk.
Want to receive Regulatory Roundups right to your inbox? Subscribe.