PRIVACY & DATA SECURITY
Judge Dismisses Website “Tester’s” Privacy Class Action Against Autotrader
A California federal judge has dismissed a proposed class action against Autotrader, finding that plaintiff Rebeka Rodriguez, a website “tester,” lacked standing to claim privacy violations under the California Invasion of Privacy Act (CIPA). Rodriguez had accused the online car marketplace of violating CIPA’s pen register provision by sharing search queries containing sensitive data to third parties such as advertisers.
U.S. District Judge R. Gary Klausner held that Rodriguez did not suffer a concrete injury because she expected the data collection and disclosure when she visited the site specifically to identify privacy violations – in effect, her expectations negated any claim of privacy invasion. While Rodriguez claimed dual intent as a legitimate user and tester, the court concluded her anticipation of data collection undermined her claim. The decision also dismissed her related wiretapping claim, closing the case with prejudice.
BUSINESSES NEED TO KNOW: Amidst a growing onslaught of consumer claims related to website tracking and pen register violations of CIPA, we’re seeing inconsistent rulings across federal and state courts. However, businesses should be heartened to see “website testers” – individuals who actively seek out privacy violations and file lawsuits to ensure legal compliance – being challenged by courts to effectively demonstrate the harms sustained in light of this occupation.
Sixth Circuit Rules VPPA Doesn’t Protect Digital Newsletter Subscribers
The Sixth Circuit ruled that the Video Privacy Protection Act (VPPA) does not cover subscribers of digital newsletters. The panel majority affirmed the dismissal of a proposed class action brought by Michael Salazar, who subscribed to a digital newsletter from Paramount Global’s 24/7 Sports, finding that the VPPA only covers subscribers to actual audiovisual materials, not general services like newsletters that merely link to videos or direct subscribers to video content.
The court’s decision diverges from previous interpretations by the Second and Seventh Circuits, creating a circuit split that could eventually reach the Supreme Court. Salazar’s case is part of broader litigation against companies using Meta Pixel to track user activity and share data with Meta.
BUSINESSES NEED TO KNOW: Companies should be cautious about how they collect and share user data, especially when using tracking tools like Meta Pixel. Because there’s now a circuit split, your VPPA risk could depend heavily on where you operate and could change if the Supreme Court eventually steps in. Regardless of VPPA liability, sharing user data without clear disclosure and applicable consent is still risky under other laws like state privacy laws and broader unfair practices standards under the FTC Act.
FTC Outlines Regulatory Priorities as Challenge Continues over Fired Commissioners
The FTC is moving forward with its regulatory agenda, even as a legal battle over the controversial firing of its two Democratic commissioners continues. Speaking at the International Association of Privacy Professionals’ (IAPP) Global Privacy Summit, Commissioner Melissa Holyoak shared the agency’s top data privacy priorities while emphasizing the need for flexible regulation to avoid stifling innovation. The stated priorities include: 1) regulating AI technology, 2) enhancing online protections for children and teens, and 3) strengthening enforcement against businesses that sell, transfer, or disclose geolocation or other sensitive data to foreign adversaries.
BUSINESSES NEED TO KNOW: The now Republican-led agency is shifting toward a more enforcement-focused approach to data privacy, prioritizing established harms rather than pursuing new regulations or expansive interpretations of existing statutes. However, if the controversial firings of Democratic commissioners Rebecca Slaughter and Alvaro Bedoya are ruled unlawful, that could jeopardize the validity of FTC enforcement efforts. Further uncertainty looms over the agency’s independence due to a Trump executive order requiring major regulatory actions to be reviewed by the White House.
Congress Passes TAKE IT DOWN Act to Combat Non-Consensual Imagery
Congress has passed the bipartisan TAKE IT DOWN Act, a landmark privacy bill aimed at curbing the spread of non-consensual intimate imagery. The legislation establishes a federal standard requiring covered websites that host user-generated content to remove intimate images within 48 hours of a valid takedown request. This includes both real and artificially-created content and applies to both adults and minors. The law also introduces criminal penalties for violators and empowers the FTC to enforce compliance on the regulatory side. While the bill imposes new responsibilities on platforms, it does include a safe harbor provision protecting sites that act in good faith to remove flagged content.
BUSINESSES NEED TO KNOW: As the TAKE IT DOWN Act awaits the President’s signature to become law, it’s clear this Congress is taking privacy regulation more seriously. The Act marks a significant step forward for online privacy and could pave the way for broader legislation in the future – including a federal comprehensive privacy law.
MA Data Broker Sued for Allegedly Violating CO Privacy Law by Listing Cellphone Numbers
A proposed class action filed in Massachusetts state court accused Boston-based data broker Infopay Inc., operating as InfoTracer, of violating Colorado’s Prevention of Telemarketing Fraud Act (PTFA). The lawsuit claims Infopay, which runs a website that offers access to personal information such as phone numbers and addresses to the public for a fee, unlawfully included the cellphone numbers of thousands of Colorado residents in its online directory without obtaining, or even seeking, consent. The PTFA was amended in 2005 to prohibit the commercial listing of personal cellphone numbers without owner consent. It provides for penalties of up to $500 for a first offense and up to $1,000 for second or subsequent offense, a liability that can quickly grow under a class action.
BUSINESSES NEED TO KNOW: The TCPA may be getting today’s headlines, but businesses also need to pay attention to existing state laws impacting consumer privacy rights. While Colorado’s law may be an outlier, this case serves as a reminder that there are older laws (even some that predate expansive use of the Internet) governing use of personal information which are being tested in courts.
TCPA & TELESERVICES
FCC Reduces Pricing and Expands Reassigned Numbers Database
The Federal Communications Commission (FCC) announced reduced pricing for its Reassigned Numbers Database, a tool that helps callers avoid contacting individuals who have inherited someone else’s old phone number. The new pricing includes a 20% discount on existing subscription tiers and introduces two new volume tiers. The changes aim to make it easier for callers to check large volumes of numbers, reducing misdirected calls and potential liability under the TCPA.
BUSINESSES NEED TO KNOW: This reduced pricing means a lower burden for business in utilizing this important risk mitigation tool – and who doesn’t want less risk? More info on the RND can be found at www.reassigned.us.
FCC Delays Provision of New Revocation of Consent Regulations Until April 11, 2026
Just days before new consent revocation rules were set to take effect on April 11, 2025, the FCC issued an Order delaying part of its updated regulations. Specifically, the FCC postponed for one year the requirement that businesses apply a consumer’s opt-out request across all communications—calls and texts—for which consent is required, regardless of the message’s purpose. The delay came in response to concerns from financial institutions about the complexity and cost of implementing cross-channel revocation systems, especially for businesses with multiple communication platforms and business units.
Despite this delay, the rest of the FCC’s revocation rules took effect on April 11, 2025. These include honoring revocations through any “reasonable method,” such as replies to texts with common opt-out terms (e.g., “stop,” “unsubscribe”), or through designated websites or phone numbers. Businesses must act on these revocations within a reasonable time not to exceed 10 business days and treat them as definitive unless clarified otherwise by the consumer.
BUSINESSES NEED TO KNOW: Businesses must still comply with most of the FCC’s new revocation rules that took effect in April. This includes recognizing a wide range of consumer opt-out methods, training staff to identify valid revocation requests, and ensuring revocations are processed within the 10-business day requirement. While the requirement to harmonize opt-outs across all communication channels is delayed until 2026, companies should begin preparing now.
Circuit Court Denies Appeal on Verbal Consent under the TCPA in Bradley v. Dentalplans.com
The U.S. Fourth Circuit Court of Appeals denied Dentalplans.com’s petition for an interlocutory appeal, meaning the case, Bradley v. Dentalplans.com, will continue in the U.S. District Court for Maryland. The Court had previously ruled that the E-SIGN Act’s “consumer disclosure” requirement applies in the context of the TCPA, meaning businesses must obtain “E-SIGN consent” to provide the “prior express written consent” disclosures under the TCPA electronically and cannot provide them orally. Although there are some older court rulings that reached the opposite conclusion regarding the applicability of the E-SIGN Act to the TCPA, relying on those decisions now is considered risky.
BUSINESSES NEED TO KNOW: Businesses that have previously provided the “prior express written consent” disclosures orally should be aware that these consents are likely insufficient for PEWC purposes and should not be relied upon. We strongly recommend transitioning to an E-SIGN Act-compliant electronic process to reduce legal risk.
ADVERTISING & MARKETING
Bigelow Found Liable for Misleading “Manufactured in the USA” Tea Labeling
A California federal jury found R.C. Bigelow liable for fraud, breach of express warranty, and violating the state’s Consumer Legal Remedies Act by falsely labeling some of its tea products as “Manufactured in the USA 100%.” The jury awarded a class of California consumers $2.36 million in damages but declined to impose punitive damages. Bigelow had argued that “Manufactured in the USA” referred to its U.S.-based blending and packaging facilities, but a prior District Court ruling found the label was “literally false,” as most of Bigelow’s tea leaves are sourced from countries like China and Sri Lanka. The jury was left to decide whether the company intentionally misled consumers or acted recklessly.
BUSINESSES NEED TO KNOW: This case serves as a cautionary tale for companies using “Made in the USA” or similar claims in marketing. Be sure that such labels comply with strict FTC standards and accurately reflect the origin of all significant components or processing. Misleading claims, even if unintentional, can lead to costly litigation and reputational damage. Review labeling practices, maintain clear documentation of sourcing and manufacturing processes, and train marketing teams on compliance to avoid legal challenges.
Washington Supreme Court Ruling Broadens Scope of Spam Law
In a narrow 5-4 decision, Washington’s Supreme Court ruled that the state’s Commercial Electronic Mail Act (CEMA) prohibits any false or misleading information in the subject lines of commercial emails—not just misrepresentations to hide a message’s commercial nature. The ruling, prompted by a certified question from a federal judge in a proposed class action against Old Navy, supports consumers Roxann Brown and Michelle Smith, who allege they were misled by deceptive promotional subject lines designed to create urgency by falsely advertising sales and discounts as time-limited. The court rejected Old Navy’s narrower interpretation that the law only bars subject lines that misrepresent an email’s commercial nature. The ruling clears the way for the consumers’ claims to proceed.
BUSINESSES NEED TO KNOW: Although Old Navy failed in its bid to have the suit dismissed, it was successful in one important aspect of its arguments. The court unanimously agreed that CEMA protection does not extend to commercial emails with “puffery” language – such as hyperbole, subjective statements, and opinions – in the subject line. Exaggerated claims such as “Best Deals of the Year,” could expose businesses to millions of dollars in CEMA liability.
In case you missed it…
M&S Webinar: Lead or Lie? Unmasking Lead Fraud is available to watch on our website.
Learn how we can help keep you in compliance and ahead of the regulatory curve. Let’s Talk.
Want to receive Regulatory Roundups right to your inbox? Subscribe.